S203e: deep debt — network centralization + 5-file refactoring

Centralize 8 hardcoded network constants (RFC1918 scan ranges, gateway
fallback, subnet defaults, scan suffixes, TEST-NET-3 prefix) to
core/config/defaults/network.rs. Update ecosystem_network.rs,
byob/config.rs, byob/network_manager.rs to use constants.

Extract inline test modules from 5 production files >550 LOC:
byob_types (585→280), cross_spring_provenance (581→420),
gpu_job_queue (581→430), silicon (575→390), registry (581→375).

Full deep audit confirms: zero TODO/FIXME/HACK/dbg!/unwrap/set_var in
production, all unsafe in hw-safe containment, all mocks test-gated,
all hardcoding centralized, all C deps optional-feature-gated.

Made-with: Cursor

Author: westgate

CHANGELOG.md

@@ -7,6 +7,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased] - April 12, 2026 (Sessions 43-203)
 
+### Session S203e (Apr 12, 2026) — Deep Debt: Network Centralization + File Refactoring
+
+#### Hardcoded Network Centralization
+- CENTRALIZED: 8 network constants to `core/config/defaults/network.rs`
+  - `DEFAULT_NETWORK_SUBNET`, `GATEWAY_FALLBACK_IP`, `INTERNAL_IP_BASE`, `INTERNAL_IP_OFFSET`
+  - `RFC1918_SCAN_RANGES`, `PROBE_DEFAULT_PORT`, `COMMON_SCAN_SUFFIXES`
+  - `TEST_NET_3_PREFIX` / `DOCUMENTATION_PREFIX` (RFC 5737)
+- UPDATED: `auto_config/ecosystem_network.rs` — scan ranges/suffixes from constants
+- UPDATED: `byob/config.rs` — subnet from constant
+- UPDATED: `byob/network_manager.rs` — gateway, IP base, TEST-NET from constants
+
+#### Smart File Refactoring (5 production files)
+- EXTRACTED: `byob/byob_types.rs` tests → `byob_types_tests.rs` (585→~280)
+- EXTRACTED: `cross_spring_provenance.rs` tests → `cross_spring_provenance_tests.rs` (581→~420)
+- EXTRACTED: `gpu_job_queue.rs` tests → `gpu_job_queue_tests.rs` (581→~430)
+- EXTRACTED: `handler/silicon.rs` tests → `silicon_tests.rs` (575→~390)
+- EXTRACTED: `primal_capabilities/registry.rs` tests → `registry_tests.rs` (581→~375)
+
+#### Deep Audit Results
+- Zero TODO/FIXME/HACK/dbg!/Box<dyn Error>/.unwrap()/std::env::set_var in production
+- All unsafe in hw-safe/VFIO/DRM/V4L2/GPU containment zones with SAFETY docs
+- All mocks properly #[cfg(test)] or feature-gated
+- All hardcoded values now centralized to config/defaults constants
+- All external C deps behind optional features (blake3 pure-Rust confirmed)
+
 ### Session S203d (Apr 12, 2026) — LD-04 Resolution: BTSP Auto-Detect + Env-Safe Tests
 
 #### BTSP Plain-Text Auto-Detect (LD-04 Completion)

DEBT.md

@@ -1,6 +1,6 @@
 # Active Technical Debt Register
 
-**Date**: April 12, 2026 — S203d
+**Date**: April 12, 2026 — S203e
 **Philosophy**: Math is universal, precision is silicon. Workarounds are
 short-term solutions that increase debt. We aim to solve deep debt over
 iterations, evolving toward vendor-agnostic, capability-based solutions.
@@ -64,6 +64,22 @@ dependency is pure Rust (proc-macro) and zero-overhead at runtime for non-dyn pa
 
 ## S203 Resolved Debt (Deep Audit & Evolution Execution)
 
+### D-NETWORK-HARDCODING-CENTRALIZATION — RESOLVED S203e
+**Scope**: `auto_config`, `core/toadstool/byob`, `core/config`
+Hardcoded network ranges (RFC1918 scan ranges, gateway fallback, subnet
+defaults, host scan suffixes, TEST-NET-3 prefix) centralized to 8 named
+constants in `core/config/defaults/network.rs`. Three call sites updated.
+Files: `ecosystem_network.rs`, `byob/config.rs`, `byob/network_manager.rs`.
+
+### D-LARGE-FILE-REFACTOR-S203E — RESOLVED S203e
+**Scope**: 5 files across 4 crates
+Smart test extraction from production files >550 LOC:
+- `byob/byob_types.rs` (585→~280)
+- `cross_spring_provenance.rs` (581→~420)
+- `gpu_job_queue.rs` (581→~430)
+- `handler/silicon.rs` (575→~390)
+- `primal_capabilities/registry.rs` (581→~375)
+
 ### D-LD04-BTSP-AUTODETECT — RESOLVED S203d
 **Crate**: `server` | **Audit**: LD-04 (primalSpring downstream — partial blocker)
 BTSP-enabled sockets rejected plain JSON-RPC: primalSpring's `CompositionContext`

crates/auto_config/src/ecosystem_network.rs

@@ -12,6 +12,9 @@ use tracing::debug;
 
 use crate::ecosystem_types::{ServiceInfo, ServicePattern, ServiceStatus};
 use crate::{ToadStoolError, ToadStoolResult};
+use toadstool_config::defaults::network::{
+    COMMON_SCAN_SUFFIXES, PROBE_DEFAULT_PORT, RFC1918_SCAN_RANGES,
+};
 use toadstool_config::env_config::EnvironmentConfig;
 
 /// TCP connect timeout for `probe_service`. Production uses 2s; tests use a
@@ -27,12 +30,10 @@ const TCP_PROBE_CONNECT_TIMEOUT: Duration = if cfg!(test) {
 /// Returns a list of CIDR-style network ranges to scan for ecosystem services.
 #[must_use]
 pub fn get_local_network_ranges() -> Vec<String> {
-    let ranges = vec![
-        "192.168.1.0/24".to_string(),
-        "192.168.0.0/24".to_string(),
-        "10.0.0.0/24".to_string(),
-        "172.16.0.0/24".to_string(),
-    ];
+    let ranges: Vec<String> = RFC1918_SCAN_RANGES
+        .iter()
+        .map(|s| (*s).to_string())
+        .collect();
 
     debug!("Using default network ranges: {:?}", ranges);
     ranges
@@ -53,7 +54,7 @@ pub async fn probe_service(
 
     let config = EnvironmentConfig::from_env();
     let host = url.host_str().unwrap_or(&config.network.bind_address);
-    let port = url.port().unwrap_or(80);
+    let port = url.port().unwrap_or(PROBE_DEFAULT_PORT);
     let socket_addr = format!("{host}:{port}");
 
     if timeout(TCP_PROBE_CONNECT_TIMEOUT, TcpStream::connect(&socket_addr))
@@ -110,9 +111,7 @@ pub async fn scan_network_range(
 
     let base = format!("{}.{}.{}", ip_parts[0], ip_parts[1], ip_parts[2]);
 
-    let scan_ips = vec![1, 2, 10, 20, 50, 100, 200, 254];
-
-    for ip_suffix in scan_ips {
+    for &ip_suffix in COMMON_SCAN_SUFFIXES {
         let ip = format!("{base}.{ip_suffix}");
 
         for (capability_key, pattern) in service_patterns {
@@ -160,13 +159,14 @@ pub async fn discover_network_services(
 #[cfg(test)]
 mod tests {
     use super::*;
+    use toadstool_config::defaults::network::RFC1918_SCAN_RANGES;
 
     #[tokio::test]
     async fn test_network_range_parsing() {
         let ranges = get_local_network_ranges();
 
         assert!(!ranges.is_empty());
-        assert!(ranges.contains(&"192.168.1.0/24".to_string()));
+        assert!(ranges.contains(&RFC1918_SCAN_RANGES[0].to_string()));
     }
 
     #[tokio::test]
@@ -227,9 +227,9 @@ mod tests {
     #[tokio::test]
     async fn test_get_local_network_ranges_has_four_defaults() {
         let ranges = get_local_network_ranges();
-        assert_eq!(ranges.len(), 4);
-        assert!(ranges.contains(&"192.168.1.0/24".to_string()));
-        assert!(ranges.contains(&"10.0.0.0/24".to_string()));
+        assert_eq!(ranges.len(), RFC1918_SCAN_RANGES.len());
+        assert!(ranges.contains(&RFC1918_SCAN_RANGES[0].to_string()));
+        assert!(ranges.contains(&RFC1918_SCAN_RANGES[2].to_string()));
     }
 
     #[tokio::test]

crates/core/config/src/defaults/network.rs

@@ -76,3 +76,39 @@ pub const DISCOVERY_PORT: u16 = 0;
 /// Default federation port for cross-primal communication
 /// Port 0 = OS-assigned at bind time.
 pub const FEDERATION_PORT: u16 = 0;
+
+// ═══════════════════════════════════════════════════════════════════════════
+// BYOB / ECOSYSTEM DISCOVERY SHARED LITERALS
+// ═══════════════════════════════════════════════════════════════════════════
+
+/// Default CIDR for BYOB executor default network subnet.
+pub const DEFAULT_NETWORK_SUBNET: &str = "10.0.0.0/24";
+
+/// Gateway IP when the subnet base cannot be parsed (last octet forced to `.1`).
+pub const GATEWAY_FALLBACK_IP: &str = "10.0.0.1";
+
+/// First three octets for allocated internal service IPs in BYOB (`{base}.{offset+n}`).
+pub const INTERNAL_IP_BASE: &str = "10.0.0";
+
+/// Host octet for the first service in BYOB internal IP allocation.
+pub const INTERNAL_IP_OFFSET: usize = 10;
+
+/// Typical private-network `/24` ranges scanned for ecosystem discovery (RFC 1918-style defaults).
+pub const RFC1918_SCAN_RANGES: &[&str] = &[
+    "192.168.1.0/24",
+    "192.168.0.0/24",
+    "10.0.0.0/24",
+    "172.16.0.0/24",
+];
+
+/// Default TCP port when a URL has no port (HTTP probe).
+pub const PROBE_DEFAULT_PORT: u16 = 80;
+
+/// Host octets to probe when scanning a `/24` range for ecosystem services.
+pub const COMMON_SCAN_SUFFIXES: &[u8] = &[1, 2, 10, 20, 50, 100, 200, 254];
+
+/// RFC 5737 TEST-NET-3 documentation prefix (non-globally routable; safe for examples).
+pub const TEST_NET_3_PREFIX: &str = "203.0.113";
+
+/// Alias for documentation / example IP allocation (same as [`TEST_NET_3_PREFIX`]).
+pub const DOCUMENTATION_PREFIX: &str = TEST_NET_3_PREFIX;