ecoPrimals
diff --git a/‎Cargo.toml‎
Lines changed: 2 additions & 0 deletions b/‎Cargo.toml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎DEBT.md‎
Lines changed: 11 additions & 1 deletion b/‎DEBT.md‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎NEXT_STEPS.md‎
Lines changed: 11 additions & 4 deletions b/‎NEXT_STEPS.md‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 4 additions & 3 deletions b/‎README.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎crates/auto_config/Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎crates/auto_config/Cargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎crates/auto_config/src/lib.rs‎
Lines changed: 4 additions & 1 deletion b/‎crates/auto_config/src/lib.rs‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎crates/cli/Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎crates/cli/Cargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎crates/cli/src/executor/lifecycle_ops/mod.rs‎
Lines changed: 4 additions & 1 deletion b/‎crates/cli/src/executor/lifecycle_ops/mod.rs‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎crates/cli/src/lib.rs‎
Lines changed: 6 additions & 2 deletions b/‎crates/cli/src/lib.rs‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎crates/cli/src/templates/specialized_templates/custom_templates.rs‎
Lines changed: 1 addition & 1 deletion b/‎crates/cli/src/templates/specialized_templates/custom_templates.rs‎
Lines changed: 1 addition & 1 deletion
@@ -166,6 +166,7 @@ hkdf = "0.12"
 hmac = "0.12"
 chacha20poly1305 = "0.10"
 rand = "0.8"
+humantime-serde = "1.1"
 
 # Networking
 # EVOLVED: ipnet removed (Mar 12, 2026) — unused; no crate references it
@@ -198,6 +199,7 @@ clap = { version = "4.4", features = ["derive", "env"] }
 # Development dependencies
 tokio-test = "0.4"
 tempfile = "3.8"
+temp-env = { version = "0.3", features = ["async_closure"] }
 criterion = { version = "0.5", features = ["html_reports"] }
 proptest = "1.4"
 
 
@@ -1,13 +1,23 @@
 # Active Technical Debt Register
 
-**Date**: April 2026 — S205
+**Date**: April 2026 — S206
 **Philosophy**: Math is universal, precision is silicon. Workarounds are
 short-term solutions that increase debt. We aim to solve deep debt over
 iterations, evolving toward vendor-agnostic, capability-based solutions—
 with production stubs surfacing typed configuration errors and capability
 guidance, and auth policy driven by explicit environment configuration
 where applicable.
 
+**S206 (Lint Evolution + Dep Hygiene + Feature Cleanup)**: Resolved **D-LINT-FULL**
+(all ~40 bare `#[allow(...)]` in production evolved to `#[allow(..., reason = "...")]` —
+17 `unsafe_code` modules, ~23 clippy/deprecated/async-fn-in-trait allows), **D-DEP-UNIFIED**
+(`humantime-serde`, `rand`, `tokio-util`, `temp-env` unified to `{ workspace = true }` in 20+
+crate Cargo.toml files), **D-FEATURE-STALE** (GPU `spirv`/`jit`/`testing` features + deps
+removed; testing `integration-tests`/`benchmarks`/`wiremock` removed — none referenced in
+source), **D-MOCK-DEFAULT** (`test-mocks` removed from `toadstool` core default features —
+production builds no longer compile mock backends; testing crate explicitly enables it).
+7,841 lib tests, 0 failures, clippy and fmt clean.
+
 **S205 (Phase 55 — Crypto + Discovery)**: Resolved **D-PLAINTEXT-DISPATCH**
 (compute payloads now encrypted via Tower `crypto.encrypt` before dispatch,
 decrypted via `crypto.decrypt` on result — graceful standalone fallback).
 
@@ -1,8 +1,8 @@
 # ToadStool -- Next Steps
 
-**Updated**: April 2026 — S205 (Phase 55 — Crypto + Discovery)
-**Status**: Production-grade | Rust edition **2024** (MSRV 1.85) | **AGPL-3.0-or-later** | **All quality gates green** | **7,841 lib-only** tests verified (20,000+ workspace, 0 failures) | **~65 JSON-RPC methods** | Wire Standard L3 (partial) | Zero C FFI deps (ecoBin v3.0) | Zero production unwraps | IPC-first | workspace `unsafe_code = "deny"`, **41 crates `forbid`** | **49 unsafe blocks** (all in hw containment, all SAFETY-documented) | **0 production TODOs** | **rustix 1.x workspace-wide** | **capability-based primal references (no hardcoded names)** | **`async-trait` DEPRECATED** (banned in `deny.toml`) | **`deny.toml` ring + async-trait + zstd-sys bans active** | **env centralized via config structs** | **real Linux sandbox (rustix)** | **real resource metrics (cgroup v2/proc)** | **plugin loading (libloading)** | **binary tarpc framing (MessagePack)** | **BTSP JSON-line relay (Phase 45c)** | **Display Phase 2 (petalTongue IPC)** | **Encrypted compute dispatch (Phase 55)**
-**Latest**: S205 — Phase 55 (Crypto + Discovery): compute payloads encrypted via Tower `crypto.encrypt` before dispatch, decrypted on result return (graceful standalone fallback). `DISCOVERY_SOCKET` wired as highest-precedence tier for capability resolution. `secrets.retrieve` purpose key delegation via `SecurityClient`. **7,841 lib-only** tests, 0 failures, clippy clean, fmt clean.
+**Updated**: April 2026 — S206 (Lint Evolution + Dep Hygiene + Feature Cleanup)
+**Status**: Production-grade | Rust edition **2024** (MSRV 1.85) | **AGPL-3.0-or-later** | **All quality gates green** | **7,841 lib-only** tests verified (20,000+ workspace, 0 failures) | **~65 JSON-RPC methods** | Wire Standard L3 (partial) | Zero C FFI deps (ecoBin v3.0) | Zero production unwraps | IPC-first | workspace `unsafe_code = "deny"`, **41 crates `forbid`** | **49 unsafe blocks** (all in hw containment, all SAFETY-documented) | **0 production TODOs** | **rustix 1.x workspace-wide** | **capability-based primal references (no hardcoded names)** | **`async-trait` DEPRECATED** (banned in `deny.toml`) | **`deny.toml` ring + async-trait + zstd-sys bans active** | **env centralized via config structs** | **real Linux sandbox (rustix)** | **real resource metrics (cgroup v2/proc)** | **plugin loading (libloading)** | **binary tarpc framing (MessagePack)** | **BTSP JSON-line relay (Phase 45c)** | **Display Phase 2 (petalTongue IPC)** | **Encrypted compute dispatch (Phase 55)** | **All lint attrs with reason (S206)** | **test-mocks off by default (S206)**
+**Latest**: S206 — Lint Evolution + Dep Hygiene + Feature Cleanup: All ~40 production bare `#[allow(...)]` evolved to `#[allow(..., reason)]` (17 `unsafe_code`, ~23 clippy/deprecated). `humantime-serde`, `rand`, `tokio-util`, `temp-env` unified to workspace in 20+ Cargo.toml files. GPU `spirv`/`jit`/`testing` + testing `integration-tests`/`benchmarks`/`wiremock` stale features and deps removed. `test-mocks` removed from core default features. **7,841 lib-only** tests, 0 failures, clippy clean, fmt clean.
 
 ---
 
@@ -163,7 +163,14 @@ names directly. Deprecated API definitions retained for backward compatibility o
 
 ---
 
-## Completed This Session (S90-S205)
+## Completed This Session (S90-S206)
+
+### Session S206: Lint Evolution + Dep Hygiene + Feature Cleanup (Apr 28, 2026)
+- **Lint evolution** — All ~40 production bare `#[allow(...)]` evolved to `#[allow(..., reason = "...")]`: 17 `unsafe_code` module allows in hw-safe/gpu/display/plugin crates, plus ~23 clippy/deprecated/async_fn_in_trait allows across auto_config, cli, distributed, integration, management, neuromorphic, runtime, security crates.
+- **Dependency unification** — `humantime-serde`, `rand`, `tokio-util`, `temp-env` added to `[workspace.dependencies]` and 20+ crate Cargo.toml files updated to `{ workspace = true }`.
+- **Stale feature removal** — GPU crate: `spirv`/`jit`/`testing` features and optional deps (`spirv`, `cranelift-jit`, `wasmtime`) removed (never referenced in source). Testing crate: `integration-tests`/`benchmarks` features and `wiremock` dep removed.
+- **`test-mocks` off by default** — removed from `toadstool` core `default` features; production builds no longer compile `InMemoryAuthBackend`/`InMemoryAgentBackend`. Testing crate explicitly enables via `features = ["test-mocks"]`.
+- 7,841 lib tests, 0 failures, clippy clean, fmt clean.
 
 ### Session S205: Phase 55 — Encrypted Compute Dispatch + Discovery Socket (Apr 28, 2026)
 - **Encrypted compute dispatch** — `DispatchHandler` now optionally holds a Tower `SecurityClient`; when present (NUCLEUS composition), payloads are encrypted via `crypto.encrypt` with the `compute` purpose key before dispatch to coralReef, and results are decrypted via `crypto.decrypt` on return. Standalone mode (no BearDog) continues with plaintext dispatch.
 
@@ -45,9 +45,9 @@ Nest    = Tower  + Storage            <- storage
 | `cargo test --workspace` | **20,000+ tests, 0 failures** (7,841 lib-only verified S205), **~93** ignored (hardware-gated); full workspace ~3m30s |
 | Doctests | All passing (common, core, server, cli, testing, display) |
 | Standalone clone test | Pull to any machine, `cargo test` works (GPU-optional, CPU fallback, device-lost resilient) |
-| `unsafe` blocks | **49 actual** (all in hw-safe/GPU/VFIO/display/plugin containment crates); all SAFETY-documented (S204); workspace `unsafe_code = "deny"`, **41 crates `forbid`** + 5 hw crates with narrow `#[allow(unsafe_code, reason)]` |
+| `unsafe` blocks | **49 actual** (all in hw-safe/GPU/VFIO/display/plugin containment crates); all SAFETY-documented (S204); workspace `unsafe_code = "deny"`, **41 crates `forbid`** + 5 hw crates with narrow `#[allow(unsafe_code, reason)]`; **all ~40 production `#[allow]` have `reason =`** (S206) |
 | Production panics/unwraps | **0** production `unwrap()` / `expect()` / `panic!()` |
-| Production stubs / test mocks | Stubs evolved to real implementations (edge USB/BT/IPv6, scheduler queuing, monitoring via sysmon+statvfs); **auth test mocks** (`InMemoryAuthBackend`) isolated under **`#[cfg(any(test, feature = "test-mocks"))]`** |
+| Production stubs / test mocks | Stubs evolved to real implementations (edge USB/BT/IPv6, scheduler queuing, monitoring via sysmon+statvfs); **auth test mocks** (`InMemoryAuthBackend`) isolated under **`#[cfg(any(test, feature = "test-mocks"))]`**; **`test-mocks` removed from default features** (S206 — production builds exclude mock code) |
 | Production `Box<dyn Error>` | 0 in core crates -- all typed errors (thiserror) |
 | Production TODOs / FIXME / HACK | 0 in production code |
 | Dead code | ~400+ lines removed (REST, middleware, dead modules); **~80** justified `#[allow]` remain (conditional compilation, deprecated compat) |
@@ -275,6 +275,7 @@ toadStool/
 - **NUCLEUS crypto integration** -- compute payloads encrypted via Tower `crypto.encrypt`/`crypto.decrypt` (S205); next: primal self-registration with Songbird (`ipc.register`)
 
 ### Recently Completed
+- **S206 (Apr 28, 2026)**: **Lint Evolution + Dep Hygiene + Feature Cleanup** — All ~40 production bare `#[allow(...)]` evolved to `#[allow(..., reason)]` (17 `unsafe_code`, ~23 clippy/deprecated). `humantime-serde`, `rand`, `tokio-util`, `temp-env` unified to `{ workspace = true }` in 20+ Cargo.toml files. GPU `spirv`/`jit`/`testing` + testing `integration-tests`/`benchmarks`/`wiremock` stale features/deps removed. `test-mocks` removed from core default features (production builds no longer compile mock backends). 7,841 lib tests, 0 failures, clippy clean.
 - **S205 (Apr 28, 2026)**: **Phase 55 — Encrypted Compute Dispatch + Discovery Socket** — compute job payloads encrypted via Tower `crypto.encrypt` before dispatch, decrypted on result return (graceful standalone fallback). `DISCOVERY_SOCKET` env var wired as highest-precedence tier for capability resolution. `secrets.retrieve` purpose key delegation. 7,841 lib tests, 0 failures, clippy clean.
 - **S176 (Apr 23, 2026)**: **BTSP JSON-line handshake relay** (primalSpring Phase 45c) — JSON-line BTSP auto-detection on `0x7B` first-byte path across all three connection handlers (pure JSON-RPC, tarpc, daemon). New `btsp/json_line.rs` with `relay_json_line_handshake()` (4-step BearDog IPC relay), `btsp/family_seed.rs` with `load_family_seed_for_btsp()` (env→file cascade, base64/hex/raw normalization), security socket discovery via env cascade. `PrependByte` extracted to `btsp/framing.rs` for reuse. 7,809 lib tests, 0 failures, clippy clean.
 - **S175 (Apr 21, 2026)**: **Deep debt evolution** — `NoopCryptoProvider` evolved to capability-based error guidance (matches `NoopCloudProvider` S174 pattern). 6 `eprintln!` calls migrated to `tracing` macros in `universal/capabilities.rs` (GPU adapter discovery diagnostics). 13 bare `#[allow]` evolved to `#[expect]` with reasons across distributed (gpu detection, federation, metrics), neuromorphic (pcie), management (performance). Preventive `#[allow]` with reasons kept for nvpmu (VFIO/power_manager casts) and server (handler `unused_async`). armv7 cross-arch clean. Clippy 0 warnings.
@@ -383,7 +384,7 @@ See [DEBT.md](DEBT.md) for full register and evolution paths.
 
 ---
 
-**Last Updated**: April 2026 — S205 (Phase 55 — Crypto + Discovery). **20,000+** workspace tests, 0 failures (7,841 lib-only). ~83.6% lib-only line coverage (target 90%). **65 JSON-RPC methods** (direct) + semantic registry with **Wire Standard L3** (cost_estimates + operation_dependencies). AGPL-3.0-or-later. Zero C FFI deps (ecoBin v3.0). **49 unsafe blocks** (all in hw-safe/GPU/VFIO/display/plugin containment crates); all SAFETY-documented (S204: ffi\_loader.rs gap closed); workspace `unsafe_code = "deny"`, **41 crates `forbid`** + 5 hw crates with narrow `#[allow(unsafe_code, reason)]`. IPC-first JSON-RPC (dual-socket: `compute.sock` + `compute-tarpc.sock`). Rust 1.85+ (edition 2024, MSRV). **async-trait DEPRECATED** — fully removed, banned in `deny.toml`. **env_overrides fully interned** (socket_env). Real monitoring (sysmon + statvfs). **BTSP Phase 2 + JSON-line relay** (primalSpring Phase 45c). **Display Phase 2** (petalTongue IPC: `display.present`, `display.subscribe_input`, `display.poll_events`). **Encrypted compute dispatch** (Phase 55: Tower crypto delegation). **Capability-based discovery compliant** per `CAPABILITY_BASED_DISCOVERY_STANDARD.md` v1.2.
+**Last Updated**: April 2026 — S206 (Lint Evolution + Dep Hygiene + Feature Cleanup). **20,000+** workspace tests, 0 failures (7,841 lib-only). ~83.6% lib-only line coverage (target 90%). **65 JSON-RPC methods** (direct) + semantic registry with **Wire Standard L3** (cost_estimates + operation_dependencies). AGPL-3.0-or-later. Zero C FFI deps (ecoBin v3.0). **49 unsafe blocks** (all in hw-safe/GPU/VFIO/display/plugin containment crates); all SAFETY-documented (S204: ffi\_loader.rs gap closed); workspace `unsafe_code = "deny"`, **41 crates `forbid`** + 5 hw crates with narrow `#[allow(unsafe_code, reason)]`. IPC-first JSON-RPC (dual-socket: `compute.sock` + `compute-tarpc.sock`). Rust 1.85+ (edition 2024, MSRV). **async-trait DEPRECATED** — fully removed, banned in `deny.toml`. **env_overrides fully interned** (socket_env). Real monitoring (sysmon + statvfs). **BTSP Phase 2 + JSON-line relay** (primalSpring Phase 45c). **Display Phase 2** (petalTongue IPC: `display.present`, `display.subscribe_input`, `display.poll_events`). **Encrypted compute dispatch** (Phase 55: Tower crypto delegation). **All lint attrs with `reason =`** (S206). **`test-mocks` off default** (S206). **Capability-based discovery compliant** per `CAPABILITY_BASED_DISCOVERY_STANDARD.md` v1.2.
 
 ---
 
 
@@ -37,7 +37,7 @@ regex = { workspace = true }
 [dev-dependencies]
 tokio-test = { workspace = true }
 tempfile = { workspace = true }
-temp-env = { version = "0.3.6", features = ["async_closure"] }
+temp-env = { workspace = true }
 
 [features]
 default = []
 
@@ -1,7 +1,10 @@
 // SPDX-License-Identifier: AGPL-3.0-or-later
 #![forbid(unsafe_code)]
 #![warn(missing_docs)]
-#![allow(clippy::doc_markdown)]
+#![allow(
+    clippy::doc_markdown,
+    reason = "technical identifiers pervasive in API docs"
+)]
 
 //! # `ToadStool` Auto-Configuration Library
 //!
 
@@ -109,7 +109,7 @@ url = { workspace = true }
 
 [dev-dependencies]
 anyhow = "1"
-temp-env = { version = "0.3", features = ["async_closure"] }
+temp-env = { workspace = true }
 tempfile = { workspace = true }
 assert_cmd = "2.0"
 predicates = "3.0"
 
@@ -4,7 +4,10 @@
 //! Split into submodules by concern:
 //! - `start` — biome/primal/service startup, workload conversion
 //! - `stop`  — graceful/force shutdown, purge, signal handling
-#![allow(deprecated)]
+#![allow(
+    deprecated,
+    reason = "lifecycle ops reference deprecated config fields during migration"
+)]
 
 mod start;
 mod stop;
 
@@ -1,7 +1,10 @@
 // SPDX-License-Identifier: AGPL-3.0-or-later
 #![forbid(unsafe_code)]
 #![warn(missing_docs)]
-#![allow(deprecated)] // Intentional: IPC addressing requires well-known names
+#![allow(
+    deprecated,
+    reason = "IPC addressing requires well-known names during migration"
+)]
 #![allow(
     clippy::cast_possible_truncation,
     clippy::cast_precision_loss,
@@ -39,7 +42,8 @@
     clippy::float_cmp,
     clippy::case_sensitive_file_extension_comparisons,
     clippy::assigning_clones,
-    clippy::needless_raw_string_hashes
+    clippy::needless_raw_string_hashes,
+    reason = "CLI crate: pedantic lints suppressed crate-wide; numeric casts bounds-checked"
 )]
 
 //! `ToadStool` CLI - Universal Compute Command Center
 
@@ -3,7 +3,7 @@
 //!
 //! Allows users to define custom biome configurations via CustomTemplateSpec.
 
-#![allow(deprecated)] // Module uses deprecated fields during migration
+#![allow(deprecated, reason = "module uses deprecated fields during migration")]
 
 use std::collections::HashMap;