v2.78: blocking debt resolved, AI routing evolved, smart refactoring

All 4 blocking debt items from primalSpring audit resolved:
- B-1: Graph rollback with checkpoint/restore + reverse topo lifecycle.stop
- B-2: DNS-SD mDNS discovery (RFC 6762) with health probes and LAN fallback
- B-3: Remote primal acquisition (GitHub + HTTP + SHA256 verification)
- B-4: Federation manifest deployment with topology validation

AI module evolved from embedded intent classifier to thin capability routing
— biomeOS deploys with ecoBins alone, Squirrel tags in at runtime.

capability.discover accepts both capability/domain params (primalSpring compat).
Smart refactoring: discovery.rs 1128→467, primal_registry 1150→823 lines.
Removed dead tokio-process dep, evolved blake3 to pure, cleaned all Future
comments to implementations or documented delegation.

Root docs, handoff, CHANGELOG updated to v2.78. Stale version refs fixed.
SECURITY.md added. bin/README cleaned.

7,204 tests, 0 failures, 0 clippy warnings, 0 files >1000 LOC, 0 blocking debt.

Made-with: Cursor

Author: eastgate

CHANGELOG.md

@@ -2,6 +2,41 @@
 
 All notable changes to biomeOS will be documented in this file.
 
+## v2.78 (2026-03-29) — Blocking Debt Resolved + AI Routing Evolution + Smart Refactoring
+
+### Blocking Debt Resolved (all 4)
+- **B-1 Graph rollback**: Real checkpoint/restore with reverse topological lifecycle.stop + capability.unregister — replaces former no-op
+- **B-2 DNS discovery**: mDNS/DNS-SD (RFC 6762) over `_biomeos._tcp.local` with SRV/TXT parsing, health probes, and LAN fallback
+- **B-3 Remote primal acquisition**: GitHub releases (curl subprocess) + HTTP downloads (hyper pure Rust) + SHA256 verification + XDG cache
+- **B-4 Federation manifest deployment**: YAML manifest parsing, topology validation (acyclic trust graph), per-gate JSON-RPC `federation.configure` + `federation.join`
+
+### Evolved
+- **AI module**: Removed embedded intent classifier / recommendation engine (565→395 lines). AI capabilities now route to Squirrel via `capability.discover { domain: "ai" }` at runtime — biomeOS deployable with ecoBins alone, users tag in AI primal on demand
+- **capability.discover**: Accepts both `capability` and `domain` parameter names for primalSpring cross-transport compatibility
+- **Health check (S-2)**: Deploy-graph health path evolved from socket-existence to real JSON-RPC `health.liveness` probes with 3s timeout
+- **Harvest tool (S-3)**: GitHub acquisition implemented — curl + asset matching + SHA256 checksum + manifest provenance
+- **capabilities.list**: Added canonical route alias alongside `capability.list` per SEMANTIC_METHOD_NAMING_STANDARD
+- **boot/init.rs network config**: Replaced placeholder with loopback verification; network management delegated to Songbird
+- **blake3 ecoBin compliance**: Platypus chimera evolved to `blake3 { features = ["pure"] }` — zero C code paths
+- **All `Future:` comments**: Evolved to either real implementations or documented architectural delegation
+
+### Refactored
+- **discovery.rs** (1128→467 lines): Extracted `dns_sd` module into `discovery/dns_sd.rs` (663 lines)
+- **primal_registry/mod.rs** (1150→823 lines): Extracted remote acquisition into `primal_registry/remote.rs` (337 lines)
+- Zero files over 1000 LOC in workspace
+
+### Removed
+- **tokio-process 0.2**: Dead dependency (listed but never imported) removed from biomeos-deploy
+- **Embedded AI types**: `AIRecommendation`, `Priority`, `QueryIntent`, `AIAction`, `AIResponse` — AI policy belongs in Squirrel, not biomeOS
+- **GeneticAccessKey String alias**: Consolidated to single struct definition in types.rs
+
+### Added
+- `SECURITY.md`: Vulnerability disclosure policy, supported versions, security design principles
+- `unsafe_code = "deny"` at workspace level (overridable by `#[expect]` in test-only env helpers)
+
+### Metrics
+- **7,204 tests**, 0 failures, 134 ignored, 0 Clippy warnings, 0 files >1000 LOC, 0 blocking debt
+
 ## v2.77 (2026-03-28) — Deep Audit + DI Evolution + Cleanup
 
 ### Evolved

CONTEXT.md

@@ -23,8 +23,9 @@ multiple gates (devices).
 - **Architecture:** Single binary (UniBin) with multiple operational modes (bootstrap, nucleus, deploy, doctor, continuous, rootpulse)
 - **Communication:** JSON-RPC 2.0 over Unix sockets, abstract sockets, TCP, and HTTP — with tarpc binary protocol escalation for hot paths
 - **License:** AGPL-3.0-only (scyBorg triple-copyleft: AGPL-3.0 + ORC + CC-BY-SA 4.0)
-- **Tests:** 7,209 passing, 0 failures
+- **Tests:** 7,204 passing, 0 failures
 - **Coverage:** 90%+ line coverage (llvm-cov verified)
+- **Blocking debt:** 0 (graph rollback, DNS discovery, remote acquisition, federation manifest — all resolved)
 - **Edition:** Rust 2024 across all workspace crates
 - **Crate count:** 26 workspace crates
 - **Clippy:** 0 warnings (pedantic + nursery lints)

CURRENT_STATUS.md

@@ -1,8 +1,8 @@
 # biomeOS - Current Status
 
-**Updated**: March 28, 2026 (v2.77: deep audit + DI evolution, commented-code cleanup, Cargo.toml hygiene)
-**Version**: 2.77
-**Status**: PRODUCTION READY - Multi-Computer Federation Validated
+**Updated**: March 29, 2026 (v2.78: blocking debt resolved, AI routing evolved, smart refactoring, primalSpring compat)
+**Version**: 2.78
+**Status**: PRODUCTION READY - Multi-Computer Federation Validated - Zero Blocking Debt
 
 ---
 
@@ -17,7 +17,7 @@
 | **Security Score** | 100/100 (HSTS, X-Frame, CSP, Referrer-Policy, Cache-Control) |
 | **Code Quality** | A++ (Pure Rust, Edition 2024 all crates, ecoBin v3.0, fully concurrent, zero warnings, full doc coverage, sovereignty audit) |
 | **Lint hardening** | `deny` on unwrap_used/expect_used, workspace lints inherited by all 26 workspace crates |
-| **Tests Passing** | 7,209 lib + bin + doc + proptest (0 failures, ~135 ignored hardware-dependent — run with `--ignored --test-threads=1`) |
+| **Tests Passing** | 7,204 lib + bin + doc + proptest (0 failures, ~134 ignored hardware-dependent — run with `--ignored --test-threads=1`) |
 | **Test Coverage** | 90%+ (llvm-cov workspace-wide verified) — all three metrics above 90% target |
 | **Unsafe Code** | 0 production (test-only env helpers with RAII guards) |
 | **Clippy** | PASS (0 warnings, pedantic+nursery, `-D warnings`, all crates via `[lints] workspace = true`) |
@@ -941,7 +941,7 @@ Family: Shared .family.seed, both enrolled with Blake3-Lineage-KDF
 # Build
 cargo build --workspace
 
-# Test (7,202 tests — ~135 ignored hardware-dependent — use --ignored --test-threads=1 for those)
+# Test (7,204 tests — ~134 ignored hardware-dependent — use --ignored --test-threads=1 for those)
 cargo test --workspace
 
 # Clippy (0 warnings, entire workspace)
@@ -963,8 +963,8 @@ echo '{"jsonrpc":"2.0","method":"query_ai","params":{"prompt":"hello","model":"c
 
 ---
 
-**Status**: Production Ready (v2.77 — deep audit + DI evolution, commented-code cleanup, Cargo.toml hygiene)
-**Tests**: 7,209 passing, 0 failures, ~135 ignored cwd-sensitive (90%+ llvm-cov verified)
+**Status**: Production Ready (v2.78 — blocking debt resolved, AI routing evolved, smart refactoring, primalSpring compat)
+**Tests**: 7,204 passing, 0 failures, ~134 ignored hardware-dependent (90%+ llvm-cov verified)
 **Clippy**: PASS (0 warnings, pedantic+nursery) | **Format**: PASS | **Docs**: Full coverage | **Unsafe**: 0 production | **C deps**: 0
 **IPC**: Universal IPC v3.0 (Unix/Abstract/TCP/HTTP JSON-RPC) + tarpc binary escalation
 **Neural API**: 290+ translations, 26 domains, proxy_http, capability.call, graph coordination