Add device-connect-server learning path (draft)

content/learning-paths/embedded-and-microcontrollers/device-connect-server/_index.md

@@ -0,0 +1,56 @@
+---
+title: Connect Devices and AI agents through Device Connect Server
+
+draft: true
+cascade:
+    draft: true
+
+minutes_to_complete: 30
+
+who_is_this_for: This is a follow-on topic for developers who have a working Device Connect mesh and want to add a server layer on top. The server gives you a persistent device registry, distributed state, and security primitives (commissioning, ACLs) so you can operate a multi-network fleet from one place.
+
+learning_objectives:
+    - Understand what the Device Connect server adds on top of the edge SDK and when you'd reach for it
+    - Provision a hosted tenant on the Device Connect portal and download per-device NATS credentials
+    - Commission two simulated devices against your tenant using the credentials the portal issues
+    - Discover and invoke commissioned devices from a Python client using `device-connect-agent-tools`
+    - Connect a Strands AI agent to the same tenant
+
+prerequisites:
+    - Familiarity with the Device Connect edge SDK (the [device-to-device Learning Path](/learning-paths/embedded-and-microcontrollers/device-connect-d2d/) is a good starting point)
+    - An account on the [Device Connect portal](https://portal.deviceconnect.dev/)
+    - Basic familiarity with Python and the command line
+
+author:
+    - Kavya Sri Chennoju
+    - Annie Tallund
+
+### Tags
+skilllevels: Introductory
+subjects: Libraries
+armips:
+    - Cortex-A
+    - Neoverse
+operatingsystems:
+    - Linux
+    - macOS
+tools_software_languages:
+    - Python
+    - Docker
+
+further_reading:
+    - resource:
+        title: Device Connect
+        link: https://deviceconnect.dev/
+        type: website
+    - resource:
+        title: device-connect-server package
+        link: https://github.com/arm/device-connect/tree/main/packages/device-connect-server
+        type: documentation
+
+### FIXED, DO NOT MODIFY
+# ================================================================================
+weight: 1
+layout: "learningpathall"
+learning_path_main_page: "yes"
+---

content/learning-paths/embedded-and-microcontrollers/device-connect-server/_next-steps.md

@@ -0,0 +1,17 @@
+---
+# ================================================================================
+#       FIXED, DO NOT MODIFY THIS FILE
+# ================================================================================
+weight: 21
+title: "Next Steps"
+layout: "learningpathall"
+---
+
+## Where to go next
+
+From this baseline you can extend the deployment in a few directions:
+
+- swap Zenoh dev mode for [Zenoh with TLS](https://github.com/arm/device-connect/tree/main/packages/device-connect-server#secure--zenoh-tls) using the `generate_tls_certs.sh` script in `security_infra/`
+- swap to a NATS backend with [JWT authentication](https://github.com/arm/device-connect/tree/main/packages/device-connect-server#authenticated--nats-jwt-auth) for per-device credentials
+- explore the [multi-tenant deployment](https://github.com/arm/device-connect/tree/main/packages/device-connect-server#multi-tenant-deployment) flow when several teams or workshops share the same infrastructure
+- replace the simulated number-generator with a real sensor or robot driver using the same `DeviceDriver` pattern from the edge SDK

content/learning-paths/embedded-and-microcontrollers/device-connect-server/background.md

@@ -0,0 +1,89 @@
+---
+title: Why add a Device Connect server
+weight: 2
+
+# FIXED, DO NOT MODIFY
+layout: learningpathall
+---
+
+## From device-to-device (D2D) to server
+
+The [device-to-device Learning Path](/learning-paths/embedded-and-microcontrollers/device-connect-d2d/) showed Device Connect in its simplest shape. Each runtime is a peer on the same local network. Devices find each other automatically, exchange typed events, and call each other's remote procedure calls (RPCs) directly. There is no broker, registry, or cloud service to run.
+
+That model is useful when everything is close together. It works well for prototypes, lab demos, and small fleets on one local area network (LAN). It is also a good fit when a cloud round-trip would add unnecessary delay.
+
+As soon as the fleet grows, D2D mode starts to run out of road. You may need devices on different networks to talk to each other. You may need a registry that remembers devices after they disconnect. You may also need stronger identity, credential rotation, or audit logs.
+
+Use a Device Connect server when you need:
+
+- a **persistent registry** that survives device reboots and lets new clients list known devices
+- **distributed state** shared between devices and agents, with leases and watches
+- **multi-network reach** for devices and agents on different LANs, behind network address translation (NAT), or in the cloud
+- **fleet-wide operations** such as commissioning devices and rotating credentials
+- **stronger security controls** such as per-device identity, JSON Web Token (JWT) credentials, role-based access control lists (ACLs), and audit logs
+
+The [`device-connect-server`](https://github.com/arm/device-connect/tree/main/packages/device-connect-server) package is the layer that adds those capabilities on top of the edge software development kit (SDK) you already know.
+
+## What the server adds
+
+The server does not change how you write device code. Devices still use `DeviceDriver`, `@rpc`, `@emit`, `@periodic`, and `@on`. Clients and artificial intelligence (AI) agents still use `discover_devices()` and `invoke_device()`.
+
+The server changes how devices find and trust each other. In D2D mode, each runtime discovers nearby peers directly. With a server, every device and agent connects to a shared service.
+
+That shared service gives you a few fleet-level building blocks:
+
+- **routing** so devices on different networks can join the same mesh
+- **registry** so clients can see known devices, their capabilities, and their last-known status
+- **shared state** so devices and agents can coordinate through a common store
+- **commissioning** so each device gets its own trusted credential
+- **security controls** such as Transport Layer Security (TLS), mutual TLS (mTLS), JSON Web Token (JWT) authentication, role-based access control, and audit logging
+
+Device Connect supports different messaging backends, including Zenoh, NATS, and Message Queuing Telemetry Transport (MQTT). In this Learning Path, you will use the hosted portal with NATS credentials. That lets you focus on the device and agent code instead of running the server yourself.
+
+## A note on commissioning
+
+Commissioning means giving a device or agent a trusted identity before it joins the mesh. Without commissioning, a process is just code trying to connect. With commissioning, the server can decide whether that process is allowed to publish, subscribe, register itself, or call an RPC.
+
+The credential format depends on the messaging backend:
+
+- with **Zenoh**, commissioning means issuing the device a client TLS certificate signed by a shared certificate authority (CA)
+- with **NATS**, commissioning means issuing the device a JWT credential bound to its tenant
+
+In both cases, the credential answers the same question: is this identity allowed on this mesh?
+
+In this Learning Path, you will use the [Device Connect portal](https://portal.deviceconnect.dev/) to download NATS credentials for three default identities on your tenant. Two identities will run simulated robot arms. The third identity will run the Python client or agent.
+
+## Where this sits in the architecture
+
+In the diagram, pub/sub means publish/subscribe, KV means key-value, LC means LangChain, and MCP means Model Context Protocol.
+
+```
+┌──────────────────┐     ┌──────────────────────┐     ┌─────────────────────┐
+│  Devices         │     │  Device Connect      │     │  AI agents          │
+│  (edge SDK)      │     │  server              │     │  (agent-tools)      │
+│  DeviceDriver    │◄───►│  Pub/sub  ·  Registry│◄───►│  discover_devices() │
+│  @rpc  @emit     │     │  KV       ·  Security│     │  invoke_device()    │
+│  @periodic  @on  │     │                      │     │  Strands / LC / MCP │
+└──────────────────┘     └──────────────────────┘     └─────────────────────┘
+```
+
+Devices and agents still talk to each other through the same primitives (`@rpc`, `@emit`, `discover_devices`, `invoke_device`). The Device Connect server runs the pub/sub messaging, the persistent registry, the shared key-value store, and the security layer in one place.
+
+The animation below shows the same idea end to end. A Device Connect server runs in Berlin. Robots in San Francisco and Tokyo install `device-connect-edge` and register with it. An AI agent in Bangalore installs `device-connect-agent-tools` and drives both robots through the server. Every `invoke_device` call and every event flows through the server.
+
+<video width="100%" controls muted playsinline>
+  <source src="https://raw.githubusercontent.com/kavya-chennoju/arm-learning-path-assets/main/videos/device-connect-server-overview.mp4" type="video/mp4">
+  Your browser does not support the video tag.
+</video>
+
+## What you'll do in this Learning Path
+
+In the rest of this Learning Path you will:
+
+- sign in to the Device Connect portal and identify your tenant slug
+- download credentials for the three default device identities
+- run two simulated robot arms with `device-connect-edge`
+- discover and invoke both devices from a Python client using `device-connect-agent-tools`
+- optionally attach a Strands AI agent to the same tenant
+
+The next section walks through the setup.