deep debt evolution S276: unwrap elimination, sovereign split, memmap2 removal

Production unwrap/expect/unreachable surface eliminated:
- sovereign.rs: resp.as_object_mut().unwrap() → if-let guard
- mmio_region.rs: NonNull::new().expect() → assert + new_unchecked
- dma.rs: Layout expect in Drop → graceful leak-on-error
- diagnostic interpreter: pt_ok + 5x expect → if-let destructure
- permissions.rs: map.next().expect() → let-else
- dispatch/mod.rs: unreachable!() → Option return + error log

handler/sovereign.rs (1,003L, 11 handlers) → module directory:
- sovereign/init.rs (454L): init, devinit, classify_tier, experiment
- sovereign/snapshot.rs (250L): snapshot, compare, catalyst_diff
- sovereign/capture.rs (304L): kernel_health, reagent_capture,
  recipe_replay, runtime_services_probe
- sovereign/mod.rs (15L): re-exports

memmap2 dependency removed from hw-safe — safe_mmap.rs rewritten to
use rustix::mm::mmap/munmap directly (same API used by device_mmap.rs).
ExclusivePtr pattern adopted for Send+Sync safety.

Stale primal-name type aliases deprecated:
- SongbirdNetworkConfigurator → OrchestrationNetworkConfigurator
- SongbirdNetworkConfig → OrchestrationNetworkConfig
- NestGateResult → StorageServiceResult

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: BiomeOS Developer

crates/cli/src/network_config/configurator/mod.rs

@@ -83,6 +83,7 @@ pub struct OrchestrationNetworkConfigurator {
 /// Short alias for [`OrchestrationNetworkConfigurator`].
 pub type OrchestrationConfigurator = OrchestrationNetworkConfigurator;
 
+#[deprecated(since = "0.2.0", note = "use OrchestrationNetworkConfigurator — capability-based naming")]
 /// Legacy alias — prefer [`OrchestrationNetworkConfigurator`].
 pub type SongbirdNetworkConfigurator = OrchestrationNetworkConfigurator;
 

crates/cli/src/network_config/types/mod.rs

@@ -47,5 +47,6 @@ pub struct OrchestrationNetworkConfig {
     pub health_monitoring: HealthMonitoringConfig,
 }
 
+#[deprecated(since = "0.2.0", note = "use OrchestrationNetworkConfig — capability-based naming")]
 /// Legacy alias — prefer [`OrchestrationNetworkConfig`].
 pub type SongbirdNetworkConfig = OrchestrationNetworkConfig;

crates/core/cylinder/src/mmio_region.rs

@@ -48,9 +48,10 @@ impl MmioRegion {
     /// - `len` must match the length passed to `mmap`.
     #[must_use]
     pub(crate) unsafe fn new(ptr: *mut u8, len: usize) -> Self {
-        let ptr = NonNull::new(ptr).expect("MmioRegion::new: mmap pointer must be non-null");
+        assert!(!ptr.is_null(), "MmioRegion::new: mmap pointer must be non-null (caller broke safety contract)");
         Self {
-            ptr,
+            // SAFETY: asserted non-null above
+            ptr: unsafe { NonNull::new_unchecked(ptr) },
             len,
             backing: Backing::Mmap,
         }

crates/core/cylinder/src/vfio/channel/diagnostic/interpreter/probe/channel.rs

@@ -73,25 +73,15 @@ pub fn probe_channel(
     let mut pd0 = DmaBuffer::new(container.clone(), 4096, l5_pd0_iova).ok();
     let mut pt0 = DmaBuffer::new(container.clone(), 4096, l5_pt0_iova).ok();
 
-    let pt_ok = pd3.is_some() && pd2.is_some() && pd1.is_some() && pd0.is_some() && pt0.is_some();
-
-    if pt_ok {
+    if let (Some(pd3), Some(pd2), Some(pd1), Some(pd0), Some(pt0)) =
+        (&mut pd3, &mut pd2, &mut pd1, &mut pd0, &mut pt0)
+    {
         crate::vfio::channel::page_tables::populate_page_tables_custom(
-            pd3.as_mut()
-                .expect("pt_ok guarantees all page table buffers are Some")
-                .as_mut_slice(),
-            pd2.as_mut()
-                .expect("pt_ok guarantees all page table buffers are Some")
-                .as_mut_slice(),
-            pd1.as_mut()
-                .expect("pt_ok guarantees all page table buffers are Some")
-                .as_mut_slice(),
-            pd0.as_mut()
-                .expect("pt_ok guarantees all page table buffers are Some")
-                .as_mut_slice(),
-            pt0.as_mut()
-                .expect("pt_ok guarantees all page table buffers are Some")
-                .as_mut_slice(),
+            pd3.as_mut_slice(),
+            pd2.as_mut_slice(),
+            pd1.as_mut_slice(),
+            pd0.as_mut_slice(),
+            pt0.as_mut_slice(),
             l5_pd2_iova,
             l5_pd1_iova,
             l5_pd0_iova,
@@ -257,11 +247,10 @@ pub fn probe_channel(
             crate::vfio::cache_ops::clflush_range(&userd.as_slice()[ramuserd::GP_GET..]);
             crate::vfio::cache_ops::memory_fence();
         }
-        let userd_gp_get = u32::from_le_bytes(
-            userd.as_slice()[ramuserd::GP_GET..ramuserd::GP_GET + 4]
-                .try_into()
-                .expect("4-byte slice always fits [u8; 4]"),
-        );
+        let gp_get_bytes: [u8; 4] = userd.as_slice()[ramuserd::GP_GET..ramuserd::GP_GET + 4]
+            .try_into()
+            .unwrap_or([0; 4]);
+        let userd_gp_get = u32::from_le_bytes(gp_get_bytes);
 
         let context_loaded = sig != 0xBEEF_0010 && gpbase != 0xBEEF_0048;
         let sig_correct = sig == 0x0000_FACE;

crates/core/cylinder/src/vfio/dma.rs

@@ -347,8 +347,10 @@ impl Drop for DmaBuffer {
         let _ = Self::dma_unmap_backend(&self.backend, self.iova, size as u64);
 
         // SAFETY: `size` and `PAGE_SIZE` are identical to those used in new().
-        let layout = std::alloc::Layout::from_size_align(size, PAGE_SIZE)
-            .expect("Layout valid: matches alloc in new()");
+        let Ok(layout) = std::alloc::Layout::from_size_align(size, PAGE_SIZE) else {
+            tracing::error!(size, PAGE_SIZE, "DMA dealloc layout invalid — leaking buffer to avoid UB");
+            return;
+        };
         // SAFETY: dealloc matches alloc_zeroed from new(); layout identical.
         unsafe { std::alloc::dealloc(ptr, layout) };
 

crates/core/hw-safe/Cargo.toml

@@ -13,7 +13,6 @@ keywords = ["hardware", "mmap", "mmio", "unsafe", "wrapper"]
 categories.workspace = true
 
 [dependencies]
-memmap2 = "0.9"
 rustix = { version = "1", features = ["mm"] }
 thiserror = { workspace = true }
 tracing = { workspace = true }

crates/core/hw-safe/src/safe_mmap.rs

@@ -1,26 +1,26 @@
 // SPDX-License-Identifier: AGPL-3.0-or-later
 #![allow(
     unsafe_code,
-    reason = "memmap2 map_raw requires unsafe — containment zone"
+    reason = "mmap/munmap require unsafe — containment zone"
 )]
 
 //! RAII memory-mapped file region.
 //!
-//! [`SafeMmapRegion`] wraps [`memmap2::MmapRaw`] for device BAR files, sysfs
-//! resource files, and similar file-backed hardware mappings. The mapping
-//! lifetime (munmap on drop) is handled by `memmap2`.
+//! [`SafeMmapRegion`] wraps `rustix::mm::mmap`/`munmap` for device BAR files,
+//! sysfs resource files, and similar file-backed hardware mappings. The mapping
+//! lifetime (munmap on drop) is managed by the RAII struct.
 //!
 //! This replaces the duplicate mmap patterns in:
 //! - `akida-driver` `MmapRegion`
 //! - `nvpmu` `Bar0Access`
 //! - `display` V4L2 device mappings
 
 use std::fs::File;
+use std::os::fd::AsFd;
 use std::path::Path;
 use std::ptr::NonNull;
 
-use memmap2::{MmapOptions, MmapRaw};
-
+use crate::ExclusivePtr;
 use crate::volatile_mmio::VolatileMmio;
 
 /// Error type for mmap operations.
@@ -48,20 +48,26 @@ pub enum MmapError {
         /// Underlying I/O error.
         source: std::io::Error,
     },
+    /// mmap returned a null pointer.
+    #[error("mmap returned null for {path}")]
+    NullPointer {
+        /// Path with null mmap result.
+        path: String,
+    },
 }
 
 /// RAII memory-mapped file region.
 ///
 /// Maps a file (typically a PCI BAR resource, sysfs attribute, or device
-/// node) into the process address space. Unmaps automatically on drop
-/// (handled by [`memmap2`]).
+/// node) into the process address space. Unmaps automatically on drop.
 ///
 /// ## Volatile MMIO
 ///
 /// For hardware register access, use [`as_volatile`](SafeMmapRegion::as_volatile)
 /// to get a [`VolatileMmio`] view with bounds-checked volatile reads and writes.
 pub struct SafeMmapRegion {
-    mmap: MmapRaw,
+    ptr: ExclusivePtr,
+    size: usize,
     _file: File,
 }
 
@@ -74,15 +80,32 @@ impl SafeMmapRegion {
     /// the mmap syscall fails.
     pub fn map_shared_rw(path: &Path) -> Result<Self, MmapError> {
         let (file, size) = Self::open_validated(path, true)?;
-        let mmap = MmapOptions::new()
-            .len(size)
-            .map_raw(&file)
-            .map_err(|source| MmapError::MmapFailed {
-                path: path.display().to_string(),
-                source,
-            })?;
+        let path_str = path.display().to_string();
+
+        // SAFETY: file is a valid open descriptor; size > 0 validated above;
+        // PROT_READ|PROT_WRITE + MAP_SHARED are correct for device BAR files.
+        let raw = unsafe {
+            rustix::mm::mmap(
+                std::ptr::null_mut(),
+                size,
+                rustix::mm::ProtFlags::READ | rustix::mm::ProtFlags::WRITE,
+                rustix::mm::MapFlags::SHARED,
+                file.as_fd(),
+                0,
+            )
+        }
+        .map_err(|e| MmapError::MmapFailed {
+            path: path_str.clone(),
+            source: e.into(),
+        })?;
+
+        let ptr = NonNull::new(raw.cast()).ok_or(MmapError::NullPointer { path: path_str })?;
         tracing::debug!(path = %path.display(), size, "mmap region created (rw)");
-        Ok(Self { mmap, _file: file })
+        Ok(Self {
+            ptr: ExclusivePtr::new(ptr),
+            size,
+            _file: file,
+        })
     }
 
     /// Map a file as a shared read-only memory region.
@@ -93,15 +116,32 @@ impl SafeMmapRegion {
     /// the mmap syscall fails.
     pub fn map_shared_ro(path: &Path) -> Result<Self, MmapError> {
         let (file, size) = Self::open_validated(path, false)?;
-        let mmap = MmapOptions::new()
-            .len(size)
-            .map_raw_read_only(&file)
-            .map_err(|source| MmapError::MmapFailed {
-                path: path.display().to_string(),
-                source,
-            })?;
+        let path_str = path.display().to_string();
+
+        // SAFETY: file is a valid open descriptor; size > 0 validated above;
+        // PROT_READ + MAP_SHARED is correct for read-only device mappings.
+        let raw = unsafe {
+            rustix::mm::mmap(
+                std::ptr::null_mut(),
+                size,
+                rustix::mm::ProtFlags::READ,
+                rustix::mm::MapFlags::SHARED,
+                file.as_fd(),
+                0,
+            )
+        }
+        .map_err(|e| MmapError::MmapFailed {
+            path: path_str.clone(),
+            source: e.into(),
+        })?;
+
+        let ptr = NonNull::new(raw.cast()).ok_or(MmapError::NullPointer { path: path_str })?;
         tracing::debug!(path = %path.display(), size, "mmap region created (ro)");
-        Ok(Self { mmap, _file: file })
+        Ok(Self {
+            ptr: ExclusivePtr::new(ptr),
+            size,
+            _file: file,
+        })
     }
 
     fn open_validated(path: &Path, writable: bool) -> Result<(File, usize), MmapError> {
@@ -134,53 +174,41 @@ impl SafeMmapRegion {
     /// Size of the mapped region in bytes.
     #[must_use]
     pub fn size(&self) -> usize {
-        self.mmap.len()
+        self.size
     }
 
     /// Get a [`VolatileMmio`] view for bounds-checked volatile register access.
     ///
     /// The returned view borrows this region — the mapping stays alive.
-    ///
-    /// # Panics
-    ///
-    /// Panics if `memmap2` returned a null pointer, which should never happen
-    /// after a successful `map_raw` call.
     #[must_use]
     pub fn as_volatile(&self) -> VolatileMmio<'_> {
-        debug_assert!(
-            self.mmap.len() > 0,
-            "SafeMmapRegion invariant: non-empty mapping (see open_validated)"
-        );
-        // SAFETY: mmap is valid (from a successful map_raw call). as_mut_ptr
-        // returns a valid pointer for len() bytes. The VolatileMmio borrows
-        // self, preventing use-after-unmap.
-        unsafe {
-            VolatileMmio::new(
-                NonNull::new(self.mmap.as_mut_ptr())
-                    .expect("memmap2 returned null — mapping was successful"),
-                self.mmap.len(),
-            )
-        }
+        // SAFETY: ptr is valid for `size` bytes from the successful mmap.
+        // The VolatileMmio borrows self, preventing use-after-unmap.
+        unsafe { VolatileMmio::new(self.ptr.as_non_null(), self.size) }
     }
 
     /// Raw pointer to the mapped region. Use [`as_volatile`](Self::as_volatile)
     /// for safe register access instead.
-    ///
-    /// # Panics
-    ///
-    /// Panics if `memmap2` returned a null pointer, which should never happen
-    /// after a successful `map_raw` call.
     #[must_use]
     pub fn as_ptr(&self) -> NonNull<u8> {
-        NonNull::new(self.mmap.as_mut_ptr())
-            .expect("memmap2 returned null — mapping was successful")
+        self.ptr.as_non_null()
+    }
+}
+
+impl Drop for SafeMmapRegion {
+    fn drop(&mut self) {
+        // SAFETY: ptr and size from a successful mmap in constructor;
+        // Drop runs exactly once; no outstanding borrows possible.
+        unsafe {
+            let _ = rustix::mm::munmap(self.ptr.as_ptr().cast(), self.size);
+        }
     }
 }
 
 impl std::fmt::Debug for SafeMmapRegion {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         f.debug_struct("SafeMmapRegion")
-            .field("size", &self.mmap.len())
+            .field("size", &self.size)
             .finish_non_exhaustive()
     }
 }
@@ -238,7 +266,7 @@ mod tests {
 
         assert!(mmio.read_u32(0).is_ok());
         assert!(mmio.read_u32(4).is_ok());
-        assert!(mmio.read_u32(8).is_err()); // out of bounds
+        assert!(mmio.read_u32(8).is_err());
     }
 
     #[test]

crates/core/toadstool/src/biomeos_integration/auth/permissions.rs

@@ -125,7 +125,9 @@ impl<'de> Deserialize<'de> for PrimalTypeConfig {
                 map.len()
             )));
         }
-        let (k, v) = map.into_iter().next().expect("len checked");
+        let Some((k, v)) = map.into_iter().next() else {
+            return Err(D::Error::custom("empty manifest map after len check"));
+        };
         match k.as_str() {
             manifest_serde::TOADSTOOL => ToadStoolConfig::deserialize(v)
                 .map(Self::ToadStool)

crates/integration/storage/src/lib.rs

@@ -51,6 +51,7 @@ pub mod types;
 mod utils;
 
 // Re-export core types and functionality
+#[allow(deprecated, reason = "re-exporting deprecated NestGateResult for backward compatibility")]
 pub use types::{
     ArtifactFilters, ArtifactMetadata, ArtifactType, CachedArtifact, CompressionType,
     EncryptionType, NestGateResult, StorageError, StorageInfo, StorageServiceResult, StorageTier,

crates/integration/storage/src/types.rs

@@ -49,6 +49,7 @@ pub enum StorageError {
 /// Result type for storage-service operations.
 pub type StorageServiceResult<T> = Result<T, StorageError>;
 
+#[deprecated(since = "0.2.0", note = "use StorageServiceResult — capability-based naming")]
 /// Legacy alias for [`StorageServiceResult`].
 pub type NestGateResult<T> = StorageServiceResult<T>;