S204: deep debt evolution — safety docs, hardcoded→constants, dep hygiene, mock isolation, lint reason, deny cleanup

Phase 1: Add // SAFETY comments to all 13 unsafe blocks in ffi_loader.rs
Phase 2: Replace hardcoded toadstool-main/toadstool-primary with INSTANCE_ID/PRIMAL_NAME constants; mDNS duplicate → TOADSTOOL_SERVICE_TYPE
Phase 3: Unify serde_yaml_ng to workspace=true (5 crates); remove unused humantime-serde from CLI; align rustix 1.0→1.1 in secure_enclave; fix stale WASM/zstd comment
Phase 4: Gate InMemoryAgentBackend + AgentBackendDispatch::InMemory + with_inmemory behind #[cfg(any(test, feature = "test-mocks"))]
Phase 5: Convert bare #[allow] to #[allow(reason)] in 9 crate lib.rs + 1 struct
Phase 6: Remove stale BSD-3-Clause-Clear license allow; activate zstd-sys ban; document ring clarify as defensive
7,832 lib tests, 0 failures, clippy clean, fmt clean.

Made-with: Cursor

Author: westgate

DEBT.md

@@ -1,13 +1,28 @@
 # Active Technical Debt Register
 
-**Date**: April 2026 — S177
+**Date**: April 2026 — S204
 **Philosophy**: Math is universal, precision is silicon. Workarounds are
 short-term solutions that increase debt. We aim to solve deep debt over
 iterations, evolving toward vendor-agnostic, capability-based solutions—
 with production stubs surfacing typed configuration errors and capability
 guidance, and auth policy driven by explicit environment configuration
 where applicable.
 
+**S204 (Deep Debt Evolution)**: Resolved **D-SAFETY-DOCS** (13 `// SAFETY`
+comments added to `ffi_loader.rs` — last file without them), **D-HARDCODED-IDS**
+(`toadstool-main`/`toadstool-primary` → `INSTANCE_ID`/`PRIMAL_NAME` constants;
+mDNS duplicate `"_toadstool._tcp.local."` → `TOADSTOOL_SERVICE_TYPE`),
+**D-DEP-HYGIENE** (`serde_yaml_ng` unified to `workspace = true` in 5 crates;
+unused `humantime-serde` removed from CLI; `rustix` aligned 1.0→1.1 in
+secure\_enclave; stale WASM/zstd comment corrected), **D-MOCK-ISOLATION**
+(`InMemoryAgentBackend` + `AgentBackendDispatch::InMemory` +
+`AgentDeploymentManager::with_inmemory` gated behind `#[cfg(any(test,
+feature = "test-mocks"))]`), **D-LINT-EVOLUTION** (bare `#[allow]` blocks
+in 9 crate roots + 1 struct → `#[allow(..., reason = "...")]`),
+**D-DENY-CLEANUP** (stale `BSD-3-Clause-Clear` license removed; `zstd-sys`
+ban uncommented/active; `ring` clarify documented as defensive).
+7,832 lib tests, 0 failures, clippy and fmt clean.
+
 **S177 (Deep Debt Evolution)**: Resolved **D-PROD-STUBS** (StubRuntimeEngine
 `ToadStoolError::configuration` with capability guidance; `NoopCryptoProvider`
 unchanged), **D-AUTH-OVERSTEP** (JWT issuer from `TOADSTOOL_AUTH_ISSUER` with

DOCUMENTATION.md

@@ -1,6 +1,6 @@
 # ToadStool Documentation Hub
 
-**Last Updated**: April 2026 — S177
+**Last Updated**: April 2026 — S204
 
 ---
 
@@ -30,11 +30,11 @@ These root documents were **fully resolved** and **fossilized** in wateringHole
 
 ---
 
-## Current State (S177 — April 2026)
+## Current State (S204 — April 2026)
 
 **Post-budding, dependency-sovereign, IPC-first, fully concurrent, capability-based.** barraCuda is a separate primal at `ecoPrimals/barraCuda/`. ToadStool is the hardware infrastructure layer — GPU/NPU/CPU discovery, capability probing, workload orchestration, and shader dispatch.
 
-- **20,000+ tests** (7,789 lib-only S177), 0 failures, 0 clippy warnings, 0 fmt diffs. Full workspace concurrent test suite.
+- **20,000+ tests** (7,832 lib-only S204), 0 failures, 0 clippy warnings, 0 fmt diffs. Full workspace concurrent test suite.
 - **65 JSON-RPC methods** (incl. `compute.execute` direct route S203f). Wire Standard L3 (partial): `cost_estimates`, `operation_dependencies`. IPC compliant (`health.liveness` → `{"status":"alive"}`, `health.readiness` → ready+version, `health.check` full envelope, `capabilities.list`, `identity.get`).
 - **Dual-socket IPC** — `compute.sock` (JSON-RPC primary, biomeOS routes here) + `compute-tarpc.sock` (tarpc hot-path). Override: `TOADSTOOL_SOCKET` / `TOADSTOOL_TARPC_SOCKET`. Family: `compute-{fid}.sock` / `compute-{fid}-tarpc.sock`.
 - **Pipeline dispatch** — `compute.dispatch.pipeline.submit` + `.status` for ordered multi-stage workloads (DAG, topological sort, result forwarding). Resolves neuralSpring PG-05.
@@ -44,7 +44,7 @@ These root documents were **fully resolved** and **fossilized** in wateringHole
 - **BTSP Phase 2 + JSON-line relay (S176)** — Handshake enforced on every UDS accept path; auto-detects plain-text clients (primalSpring) and degrades gracefully. JSON-line BTSP auto-detection on `0x7B` path routes `"protocol":"btsp"` to `relay_json_line_handshake()` (4-step BearDog IPC relay). Family seed loading via `load_family_seed_for_btsp()` (env→file cascade).
 - **async-trait DEPRECATED** (S203r) — fully removed and banned in `deny.toml`. All ~91 annotations evolved to manual `Pin<Box<dyn Future>>` (dyn-dispatched) or native AFIT (non-dyn), and subsequently enum dispatch + RPITIT (S203s). Zero runtime behavior change. Transitive only via axum/config/wiggle.
 - **`deny.toml` ring ban active** — ecoBin v3 compliant. `ring` absent from lockfile.
-- **46 unsafe blocks (all in hw-safe/GPU/VFIO/display containment crates)**; all SAFETY-documented with `debug_assert!` pre-conditions. Workspace `unsafe_code = "deny"`, **41 crates `forbid`** + 5 hw crates with narrow `#[allow]`.
+- **49 unsafe blocks (all in hw-safe/GPU/VFIO/display/plugin containment crates)**; all SAFETY-documented (S204: ffi\_loader.rs gap closed). Workspace `unsafe_code = "deny"`, **41 crates `forbid`** + 5 hw crates with narrow `#[allow]`.
 - **Edge discovery evolved (S203m)** — USB via `/sys/bus/usb/devices/`, Bluetooth via sysfs adapter enumeration, IPv6 via `/proc/net/if_inet6`. All gracefully degrade on non-Linux.
 - **Scheduler queuing (S203m)** — `schedule_job` → `UniversalJobQueue::add_job` inserts into per-priority queues (was metadata-only). `schedule_local_job` logs post-enqueue telemetry.
 - **Hardcoding sweep (S203m–p)** — sysfs/procfs paths centralized to `platform_paths`; all `TOADSTOOL_*` env var literals interned to `socket_env` constants (~55 new in S203p). `env_overrides` subsystem fully converted.

NEXT_STEPS.md

@@ -1,8 +1,8 @@
 # ToadStool -- Next Steps
 
-**Updated**: April 2026 — S177 (Deep Debt Evolution)
-**Status**: Production-grade | Rust edition **2024** (MSRV 1.85) | **AGPL-3.0-or-later** | **All quality gates green** | **7,789 lib-only** tests verified (20,000+ workspace, 0 failures) | **~65 JSON-RPC methods** | Wire Standard L3 (partial) | Zero C FFI deps (ecoBin v3.0) | Zero production unwraps | IPC-first | workspace `unsafe_code = "deny"`, **41 crates `forbid`** | **46 unsafe blocks** (all in hw containment) | **0 production TODOs** | **rustix 1.x workspace-wide** | **capability-based primal references (no hardcoded names)** | **`async-trait` DEPRECATED** (banned in `deny.toml`) | **`deny.toml` ring + async-trait bans active** | **env centralized via config structs** | **real Linux sandbox (rustix)** | **real resource metrics (cgroup v2/proc)** | **plugin loading (libloading)** | **binary tarpc framing (MessagePack)** | **BTSP JSON-line relay (Phase 45c)**
-**Latest**: S177 — Deep Debt Evolution: production stubs → `ToadStoolError::configuration` + capability guidance; JWT issuer → `TOADSTOOL_AUTH_ISSUER` (BEARDOG default); workspace `base64` unified; ~20 stale feature flags removed; OpenCL stub files + deprecated discovery variants removed; `deny.toml` tightened. **7,789 lib-only** tests, 0 failures, clippy clean, fmt clean.
+**Updated**: April 2026 — S204 (Deep Debt Evolution)
+**Status**: Production-grade | Rust edition **2024** (MSRV 1.85) | **AGPL-3.0-or-later** | **All quality gates green** | **7,832 lib-only** tests verified (20,000+ workspace, 0 failures) | **~65 JSON-RPC methods** | Wire Standard L3 (partial) | Zero C FFI deps (ecoBin v3.0) | Zero production unwraps | IPC-first | workspace `unsafe_code = "deny"`, **41 crates `forbid`** | **49 unsafe blocks** (all in hw containment, all SAFETY-documented) | **0 production TODOs** | **rustix 1.x workspace-wide** | **capability-based primal references (no hardcoded names)** | **`async-trait` DEPRECATED** (banned in `deny.toml`) | **`deny.toml` ring + async-trait + zstd-sys bans active** | **env centralized via config structs** | **real Linux sandbox (rustix)** | **real resource metrics (cgroup v2/proc)** | **plugin loading (libloading)** | **binary tarpc framing (MessagePack)** | **BTSP JSON-line relay (Phase 45c)** | **Display Phase 2 (petalTongue IPC)**
+**Latest**: S204 — Deep Debt Evolution: ffi\_loader.rs SAFETY docs (13 blocks); hardcoded IDs → constants (`INSTANCE_ID`, `PRIMAL_NAME`, `TOADSTOOL_SERVICE_TYPE`); `serde_yaml_ng` workspace unified (5 crates); unused `humantime-serde` removed; `rustix` aligned; `InMemoryAgentBackend` gated to test-only; bare `#[allow]` → `#[allow(reason)]` in 10 sites; `deny.toml` stale entries cleaned. **7,832 lib-only** tests, 0 failures, clippy clean, fmt clean.
 
 ---
 

README.md

@@ -42,7 +42,7 @@ Nest    = Tower  + Storage            <- storage
 | `cargo fmt --all -- --check` | 0 diffs |
 | `cargo clippy --workspace --all-targets -- -D warnings` | 0 warnings |
 | `cargo doc --workspace --no-deps` (RUSTDOCFLAGS="-D warnings") | 0 warnings |
-| `cargo test --workspace` | **20,000+ tests, 0 failures** (7,789 lib-only verified S177), **~93** ignored (hardware-gated); full workspace ~3m30s |
+| `cargo test --workspace` | **20,000+ tests, 0 failures** (7,832 lib-only verified S204), **~93** ignored (hardware-gated); full workspace ~3m30s |
 | Doctests | All passing (common, core, server, cli, testing, display) |
 | Standalone clone test | Pull to any machine, `cargo test` works (GPU-optional, CPU fallback, device-lost resilient) |
 | `unsafe` blocks | **46 actual** (all in hw-safe/GPU/VFIO/display containment crates); SAFETY-documented with `debug_assert!` pre-conditions; workspace `unsafe_code = "deny"`, **41 crates `forbid`** + 5 hw crates with narrow `#[allow(unsafe_code, reason)]` |
@@ -247,7 +247,7 @@ toadStool/
 | Clippy pedantic warnings | 0 (workspace-wide `clippy::pedantic` clean; `#[expect]` evolution S131+) |
 | Doc warnings | 0 |
 | Build warnings | 0 |
-| Workspace tests | **20,000+**, 0 failures (7,789 lib-only S177) |
+| Workspace tests | **20,000+**, 0 failures (7,832 lib-only S204) |
 | Lib-only line coverage | ~83.6% |
 | Full workspace test time | ~3m30s (unlimited parallelism, `cfg!(test)` fast timeouts; GPU crates have NVK resilience wrappers) |
 | `unsafe` blocks | **46 actual** (all in hw-safe/GPU/VFIO/display containment crates); SAFETY-documented with `debug_assert!` pre-conditions; workspace `unsafe_code = "deny"`, **41 crates `forbid`** + 5 hw crates with narrow `#[allow(unsafe_code, reason)]` |
@@ -381,7 +381,7 @@ See [DEBT.md](DEBT.md) for full register and evolution paths.
 
 ---
 
-**Last Updated**: April 2026 — S177 (Deep Debt Evolution). **20,000+** workspace tests, 0 failures (7,789 lib-only). ~83.6% lib-only line coverage (target 90%). **65 JSON-RPC methods** (direct) + semantic registry with **Wire Standard L3** (cost_estimates + operation_dependencies). AGPL-3.0-or-later. Zero C FFI deps (ecoBin v3.0). **46 unsafe blocks** (all in hw-safe/GPU/VFIO/display containment crates); SAFETY-documented with `debug_assert!`; workspace `unsafe_code = "deny"`, **41 crates `forbid`** + 5 hw crates with narrow `#[allow(unsafe_code, reason)]`. IPC-first JSON-RPC (dual-socket: `compute.sock` + `compute-tarpc.sock`). Rust 1.85+ (edition 2024, MSRV). **async-trait DEPRECATED** — fully removed, banned in `deny.toml`. **env_overrides fully interned** (socket_env). Real monitoring (sysmon + statvfs). **BTSP Phase 2 + JSON-line relay** (primalSpring Phase 45c). **Capability-based discovery compliant** per `CAPABILITY_BASED_DISCOVERY_STANDARD.md` v1.2.
+**Last Updated**: April 2026 — S204 (Deep Debt Evolution). **20,000+** workspace tests, 0 failures (7,832 lib-only). ~83.6% lib-only line coverage (target 90%). **65 JSON-RPC methods** (direct) + semantic registry with **Wire Standard L3** (cost_estimates + operation_dependencies). AGPL-3.0-or-later. Zero C FFI deps (ecoBin v3.0). **49 unsafe blocks** (all in hw-safe/GPU/VFIO/display/plugin containment crates); all SAFETY-documented (S204: ffi\_loader.rs gap closed); workspace `unsafe_code = "deny"`, **41 crates `forbid`** + 5 hw crates with narrow `#[allow(unsafe_code, reason)]`. IPC-first JSON-RPC (dual-socket: `compute.sock` + `compute-tarpc.sock`). Rust 1.85+ (edition 2024, MSRV). **async-trait DEPRECATED** — fully removed, banned in `deny.toml`. **env_overrides fully interned** (socket_env). Real monitoring (sysmon + statvfs). **BTSP Phase 2 + JSON-line relay** (primalSpring Phase 45c). **Display Phase 2** (petalTongue IPC: `display.present`, `display.subscribe_input`, `display.poll_events`). **Capability-based discovery compliant** per `CAPABILITY_BASED_DISCOVERY_STANDARD.md` v1.2.
 
 ---
 

crates/cli/Cargo.toml

@@ -41,13 +41,11 @@ toadstool-display = { path = "../runtime/display" }
 toadstool-config = { path = "../core/config" }
 toadstool-distributed = { path = "../distributed" }
 toadstool-server = { path = "../server" }  # UniBin Phase 2: Server library integration (library compiles!)
-humantime-serde = "1.1"
-
 # Runtime engines
 toadstool-runtime-container = { path = "../runtime/container" }
 toadstool-runtime-native = { path = "../runtime/native" }
 # EVOLVED: toadstool-runtime-python removed — pyo3 FFI violates ecoBin v3.0
-toadstool-runtime-wasm = { path = "../runtime/wasm", optional = true }  # Optional: has zstd C dependency
+toadstool-runtime-wasm = { path = "../runtime/wasm", optional = true }  # Optional: pure Rust (wasmi)
 wasmi = { version = "1.0", features = ["std"], optional = true }  # For WASM execution when wasm feature enabled
 toadstool-runtime-gpu = { path = "../runtime/gpu", optional = true }
 
@@ -68,7 +66,7 @@ tracing-subscriber = { workspace = true }
 # Serialization (rc for Arc<str> zero-copy in metadata)
 serde = { workspace = true, features = ["rc"] }
 serde_json = { workspace = true }
-serde_yaml_ng = "0.10"
+serde_yaml_ng = { workspace = true }
 toml = { workspace = true }
 bytes = { workspace = true }
 

crates/client/src/lib.rs

@@ -1,7 +1,10 @@
 // SPDX-License-Identifier: AGPL-3.0-or-later
 #![forbid(unsafe_code)]
 #![warn(missing_docs)]
-#![allow(clippy::missing_errors_doc)]
+#![allow(
+    clippy::missing_errors_doc,
+    reason = "client API: error docs covered in module-level docs"
+)]
 
 //! # ToadStool Client Library
 //!

crates/core/common/src/constants/mod.rs

@@ -25,4 +25,4 @@ pub use network::{
     DEFAULT_HOSTNAME, HTTP_PROTOCOL, HTTPS_PROTOCOL, LOCALHOST_IPV4, LOCALHOST_IPV6,
     UNIX_SOCKET_URL_PREFIX, UNIX_SOCKET_URL_SCHEME,
 };
-pub use primal_identity::{CAPABILITY_DOMAIN, PRIMAL_NAME};
+pub use primal_identity::{CAPABILITY_DOMAIN, INSTANCE_ID, PRIMAL_NAME};

crates/core/common/src/constants/primal_identity.rs

@@ -37,6 +37,12 @@
 /// should reference this constant.
 pub const PRIMAL_NAME: &str = "toadstool";
 
+/// Default instance identifier for this primal's primary/singleton instance.
+///
+/// Used in `UniversalPrimalProvider::instance_id()` and display capability
+/// advertisements. Must start with `PRIMAL_NAME`.
+pub const INSTANCE_ID: &str = "toadstool-main";
+
 /// Primary capability domain per `PRIMAL_SELF_KNOWLEDGE_STANDARD.md` v1.1.
 ///
 /// Socket files use the domain stem, not the primal name:
@@ -132,6 +138,11 @@ mod tests {
         assert!(capability::STORAGE_PROVIDER.contains('.'));
     }
 
+    #[test]
+    fn instance_id_starts_with_primal_name() {
+        assert!(INSTANCE_ID.starts_with(PRIMAL_NAME));
+    }
+
     #[test]
     fn audience_self_matches_identity() {
         assert_eq!(audience::SELF_AUDIENCE, PRIMAL_NAME);

crates/core/common/src/universal_adapter/discovery_engine/mod.rs

@@ -218,11 +218,14 @@ impl DiscoverySource for MDnsSource {
             }
         };
 
-        let service_type = "_toadstool._tcp.local.";
-        let receiver = match mdns.browse(service_type) {
+        let receiver = match mdns.browse(crate::primal_discovery_mdns::TOADSTOOL_SERVICE_TYPE) {
             Ok(rx) => rx,
             Err(e) => {
-                tracing::debug!("mDNS browse failed for {}: {}", service_type, e);
+                tracing::debug!(
+                    "mDNS browse failed for {}: {}",
+                    crate::primal_discovery_mdns::TOADSTOOL_SERVICE_TYPE,
+                    e
+                );
                 let _ = mdns.shutdown();
                 return Ok(vec![]);
             }
@@ -263,7 +266,7 @@ impl DiscoverySource for MDnsSource {
             }
         }
 
-        let _ = mdns.stop_browse(service_type);
+        let _ = mdns.stop_browse(crate::primal_discovery_mdns::TOADSTOOL_SERVICE_TYPE);
         let _ = mdns.shutdown();
 
         tracing::debug!("mDNS discovery found {} providers", providers.len());