feat: Edition 2024 migration, biomeOS niche standard compliance, docs cleanup

- Migrated workspace to Edition 2024 with rust-version 1.87
- Wrapped 183 env var calls in unsafe {} (Edition 2024 requirement)
- Collapsed 10 nested if/if-let chains into Edition 2024 if-let chains
- Created graphs/rhizocrypt_deploy.toml (5-node biomeOS deploy graph)
- Created capability_registry.toml (23 methods, 7 domains)
- Migrated 5 #[allow(clippy::...)] to #[expect(clippy::...)], removed 1 stale
- Fixed health.check method in UnixSocketAdapter (was system.health)
- Updated README, CHANGELOG, DEPLOYMENT_CHECKLIST, specs for session 10
- Cleaned stale run-all.sh references from showcase docs

Made-with: Cursor

Author: ecoPrimals

CHANGELOG.md

@@ -5,6 +5,47 @@ All notable changes to rhizoCrypt will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.13.0-dev] - 2026-03-15 (session 10)
+
+### Changed
+
+#### Edition 2024 Migration (absorbed from wetSpring, airSpring, healthSpring)
+- Migrated workspace from Edition 2021 to **Edition 2024** with `rust-version = "1.87"`
+- Updated all three Cargo.toml files (workspace, fuzz, showcase)
+- Wrapped 183 `std::env::set_var`/`remove_var` calls in `unsafe {}` (Edition 2024 requirement)
+- Changed workspace lint from `forbid` to `deny` for `unsafe_code`; `forbid` preserved in non-test builds via `#[cfg_attr(not(test), forbid(unsafe_code))]`
+- Collapsed 10 nested `if`/`if let` chains into Edition 2024 `if let` chains
+- Applied Edition 2024 `rustfmt` import reordering (types before modules)
+
+#### biomeOS Niche Standard Compliance
+- Created `graphs/rhizocrypt_deploy.toml` — 5-node deploy graph (BearDog → Songbird → rhizoCrypt → LoamSpine → sweetGrass) for biomeOS orchestration
+- Created `capability_registry.toml` — 23 JSON-RPC methods across 7 domains (`dag.session`, `dag.event`, `dag.vertex`, `dag.merkle`, `dag.slice`, `dag.dehydration`, `health`, `capability`)
+
+#### `#[expect()]` Lint Migration (absorbed from wetSpring V117)
+- Migrated 5 production `#[allow(clippy::...)]` to `#[expect(clippy::...)]`
+- Caught and removed 1 stale suppression (`missing_const_for_fn` on `RateLimiter::disabled()`)
+
+#### wateringHole Documentation Sync
+- Fixed stale method names in `SPRING_PROVENANCE_TRIO_INTEGRATION_PATTERN.md` (`dag.session.append` → `dag.event.append`, `dag.dehydrate` → `dag.dehydration.trigger`)
+- Updated `RHIZOCRYPT_LEVERAGE_GUIDE.md` with all 23 current semantic method names + `capability.list`
+- Updated `PRIMAL_REGISTRY.md` rhizoCrypt entry (1177 tests, 91.47% coverage, Edition 2024)
+
+### Quality Gates
+
+| Gate | Status |
+|------|--------|
+| `cargo fmt --check` | Clean |
+| `cargo clippy` (pedantic + nursery + cargo, all features) | Clean (0 warnings) |
+| `cargo doc --workspace --all-features --no-deps` | Clean |
+| `cargo test --workspace --all-features` | 1177 pass, 0 fail |
+| `cargo deny check` | Clean |
+| `unsafe_code = "deny"` | Workspace-wide (`forbid` in non-test builds) |
+| SPDX headers | All 106 `.rs` files |
+| Max file size | All under 1000 lines |
+| Production unwrap/expect | Zero |
+
+---
+
 ## [0.13.0-dev] - 2026-03-15 (session 9)
 
 ### Changed
@@ -552,6 +593,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Version History Summary
 
+- **0.13.0-dev** (2026-03-15 s10): Edition 2024, deploy graph, capability registry, `#[expect]` lint migration
 - **0.13.0-dev** (2026-03-15 s8): O(1) vertex-to-session index, checkout_slice evolution, Did→Arc\<str\>, 907 tests
 - **0.13.0-dev** (2026-03-15 s7): scyBorg license, zero-copy signing, store_redb refactor, modern async traits, docs cleanup
 - **0.13.0-dev** (2026-03-14 s4): Sovereignty cleanup, 1075 tests, 91% coverage, doc tests rewritten, capability-based errors

Cargo.toml

@@ -8,7 +8,8 @@ members = [
 
 [workspace.package]
 version = "0.13.0-dev"
-edition = "2021"
+edition = "2024"
+rust-version = "1.87"
 license = "AGPL-3.0-or-later"
 repository = "https://github.com/ecoPrimals/rhizoCrypt"
 authors = ["ecoPrimals Project"]
@@ -68,7 +69,10 @@ redb = "2.4"
 provenance-trio-types = { path = "../provenance-trio-types" }
 
 [workspace.lints.rust]
-unsafe_code = "forbid"
+# deny (not forbid) so test modules can #[allow(unsafe_code)] for env var
+# mutation, which became unsafe in Edition 2024. Production code has zero
+# unsafe — clippy + CI enforce this.
+unsafe_code = "deny"
 missing_docs = "warn"
 
 [workspace.lints.clippy]

README.md

@@ -9,14 +9,17 @@
 | Tests | 1177 passing (all features) |
 | Coverage | 91.47% line coverage (llvm-cov verified) |
 | Clippy | 0 warnings (pedantic + nursery + cargo, all features) |
-| Unsafe | `#![forbid(unsafe_code)]` workspace-wide |
+| Edition | 2024 (rust-version 1.87) |
+| Unsafe | `unsafe_code = "deny"` workspace-wide, `forbid` in non-test builds |
 | Binary | `rhizocrypt` (UniBin, subcommands via clap) |
 | IPC | JSON-RPC 2.0 (HTTP) + tarpc (bincode) — dual-transport first |
 | Transport | Platform-agnostic (Unix socket / TCP / abstract socket) |
 | Storage | redb (Pure Rust, default) / sled (optional) |
 | Deps | ecoBin compliant — zero application C dependencies |
 | Audit | `cargo-deny` enforced (advisories, licenses, bans, sources) |
 | SPDX | `AGPL-3.0-or-later` header on all 106 `.rs` files |
+| Registry | `capability_registry.toml` (23 methods, 7 domains) |
+| Deploy | `graphs/rhizocrypt_deploy.toml` (biomeOS niche standard) |
 
 ---
 
@@ -130,7 +133,7 @@ See [docs/ENV_VARS.md](docs/ENV_VARS.md) for the complete list.
 | ecoBin | Compliant | Default `redb` backend is 100% Pure Rust; `sled` available as optional feature |
 | Universal IPC v3 | Compliant | JSON-RPC 2.0 + tarpc, semantic method names |
 | Semantic Naming | Compliant | Native (`commit.*`) + compat (`permanent-storage.*`) with negotiation |
-| `#![forbid(unsafe_code)]` | Compliant | Workspace-wide |
+| `unsafe_code = "deny"` | Compliant | Workspace-wide, `forbid` in non-test builds |
 | AGPL-3.0-or-later | Compliant | SPDX headers on all source files |
 
 ---
@@ -143,6 +146,8 @@ See [docs/ENV_VARS.md](docs/ENV_VARS.md) for the complete list.
 - [showcase/](showcase/) — Progressive demo suite (70+ working demos)
 - [CHANGELOG.md](CHANGELOG.md) — Version history
 - [deny.toml](deny.toml) — Dependency audit policy (`cargo-deny`)
+- [capability_registry.toml](capability_registry.toml) — Capability registry for biomeOS routing
+- [graphs/rhizocrypt_deploy.toml](graphs/rhizocrypt_deploy.toml) — biomeOS deploy graph
 
 ---
 

capability_registry.toml

@@ -0,0 +1,140 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# rhizoCrypt capability registry — biomeOS ephemeral DAG primal.
+#
+# Declares the capabilities this primal registers with Songbird for
+# capability-based discovery. Self-knowledge only: no references to
+# other primals' capabilities.
+
+[primal]
+name = "rhizocrypt"
+version = "0.13.0-dev"
+domain = "dag"
+license = "AGPL-3.0-or-later"
+description = "Ephemeral content-addressed DAG engine for session-scoped working memory"
+
+# ── Session lifecycle ──────────────────────────────────────────────
+
+[capabilities.session_create]
+method = "dag.session.create"
+domain = "dag.session"
+description = "Create a scoped DAG session with lifecycle management"
+
+[capabilities.session_get]
+method = "dag.session.get"
+domain = "dag.session"
+description = "Retrieve session metadata by ID"
+
+[capabilities.session_list]
+method = "dag.session.list"
+domain = "dag.session"
+description = "List all active sessions"
+
+[capabilities.session_discard]
+method = "dag.session.discard"
+domain = "dag.session"
+description = "Discard and clean up a session"
+
+# ── Vertex operations ──────────────────────────────────────────────
+
+[capabilities.event_append]
+method = "dag.event.append"
+domain = "dag.event"
+description = "Append a content-addressed vertex to a session DAG"
+
+[capabilities.event_append_batch]
+method = "dag.event.append_batch"
+domain = "dag.event"
+description = "Append multiple vertices in a single batch operation"
+
+[capabilities.vertex_get]
+method = "dag.vertex.get"
+domain = "dag.vertex"
+description = "Retrieve a vertex by session and vertex ID"
+
+[capabilities.vertex_query]
+method = "dag.vertex.query"
+domain = "dag.vertex"
+description = "Query vertices with optional type, agent, and limit filters"
+
+[capabilities.vertex_children]
+method = "dag.vertex.children"
+domain = "dag.vertex"
+description = "Get child vertices of a given vertex"
+
+[capabilities.frontier_get]
+method = "dag.frontier.get"
+domain = "dag.frontier"
+description = "Get the frontier (leaf vertices) of a session DAG"
+
+[capabilities.genesis_get]
+method = "dag.genesis.get"
+domain = "dag.genesis"
+description = "Get the genesis (root) vertices of a session DAG"
+
+# ── Merkle integrity ──────────────────────────────────────────────
+
+[capabilities.merkle_root]
+method = "dag.merkle.root"
+domain = "dag.merkle"
+description = "Compute the Merkle root of a session's vertex set"
+
+[capabilities.merkle_proof]
+method = "dag.merkle.proof"
+domain = "dag.merkle"
+description = "Generate an inclusion proof for a vertex"
+
+[capabilities.merkle_verify]
+method = "dag.merkle.verify"
+domain = "dag.merkle"
+description = "Verify a Merkle inclusion proof"
+
+# ── Slice operations ──────────────────────────────────────────────
+
+[capabilities.slice_checkout]
+method = "dag.slice.checkout"
+domain = "dag.slice"
+description = "Checkout an immutable slice from permanent storage"
+
+[capabilities.slice_get]
+method = "dag.slice.get"
+domain = "dag.slice"
+description = "Retrieve slice metadata by ID"
+
+[capabilities.slice_list]
+method = "dag.slice.list"
+domain = "dag.slice"
+description = "List all active slices"
+
+[capabilities.slice_resolve]
+method = "dag.slice.resolve"
+domain = "dag.slice"
+description = "Resolve a slice to its underlying session data"
+
+# ── Dehydration (commit to permanent storage) ─────────────────────
+
+[capabilities.dehydration_trigger]
+method = "dag.dehydration.trigger"
+domain = "dag.dehydration"
+description = "Trigger dehydration of a session to permanent storage"
+
+[capabilities.dehydration_status]
+method = "dag.dehydration.status"
+domain = "dag.dehydration"
+description = "Check the status of a dehydration operation"
+
+# ── Health and introspection ──────────────────────────────────────
+
+[capabilities.health_check]
+method = "health.check"
+domain = "health"
+description = "Service health check with status, version, and uptime"
+
+[capabilities.health_metrics]
+method = "health.metrics"
+domain = "health"
+description = "Operational metrics (sessions, vertices, latency, errors)"
+
+[capabilities.capability_list]
+method = "capability.list"
+domain = "capability"
+description = "List all capabilities this primal provides"

crates/rhizo-crypt-core/benches/dag_benchmarks.rs

@@ -18,15 +18,15 @@
 #![allow(unused_must_use)]
 #![allow(missing_docs)]
 
-use criterion::{black_box, criterion_group, criterion_main, BenchmarkId, Criterion, Throughput};
+use criterion::{BenchmarkId, Criterion, Throughput, black_box, criterion_group, criterion_main};
 use rhizo_crypt_core::{
+    DagStore, SessionType,
     event::EventType,
     merkle::{MerkleRoot, MerkleTreeBuilder},
     session::SessionBuilder,
     store::InMemoryDagStore,
     types::{SessionId, VertexId},
     vertex::VertexBuilder,
-    DagStore, SessionType,
 };
 use tokio::runtime::Runtime;
 

crates/rhizo-crypt-core/fuzz/Cargo.toml

@@ -2,7 +2,7 @@
 name = "rhizo-crypt-core-fuzz"
 version = "0.0.0"
 publish = false
-edition = "2021"
+edition = "2024"
 license = "AGPL-3.0-or-later"
 
 [package.metadata]

crates/rhizo-crypt-core/src/clients/adapters/unix_socket.rs

@@ -264,7 +264,7 @@ impl ProtocolAdapter for UnixSocketAdapter {
     }
 
     async fn is_healthy(&self) -> bool {
-        self.socket_path.exists() && self.call_json("system.health", "{}").await.is_ok()
+        self.socket_path.exists() && self.call_json("health.check", "{}").await.is_ok()
     }
 
     fn endpoint(&self) -> &str {

crates/rhizo-crypt-core/src/clients/beardog_http.rs

@@ -153,7 +153,7 @@ impl BearDogHttpClient {
     ///
     /// Returns error if the HTTP request fails or response cannot be parsed.
     pub async fn sign(&self, data: &[u8]) -> Result<bytes::Bytes, BearDogHttpError> {
-        use base64::{engine::general_purpose::STANDARD, Engine};
+        use base64::{Engine, engine::general_purpose::STANDARD};
 
         let request = HttpSignRequest {
             data: STANDARD.encode(data),
@@ -191,7 +191,7 @@ impl BearDogHttpClient {
     ///
     /// Returns error if the HTTP request fails or response cannot be parsed.
     pub async fn verify(&self, data: &[u8], signature: &[u8]) -> Result<bool, BearDogHttpError> {
-        use base64::{engine::general_purpose::STANDARD, Engine};
+        use base64::{Engine, engine::general_purpose::STANDARD};
 
         let request = HttpVerifyRequest {
             data: STANDARD.encode(data),
@@ -427,8 +427,8 @@ mod tests {
     #[cfg(feature = "live-clients")]
     #[tokio::test]
     async fn wiremock_sign_success() {
-        use base64::engine::general_purpose::STANDARD;
         use base64::Engine;
+        use base64::engine::general_purpose::STANDARD;
         use wiremock::matchers::{method, path};
         use wiremock::{Mock, MockServer, ResponseTemplate};
 

crates/rhizo-crypt-core/src/clients/nestgate_http.rs

@@ -140,7 +140,7 @@ impl NestGateHttpClient {
         data: &[u8],
         content_type: Option<&str>,
     ) -> Result<String, NestGateHttpError> {
-        use base64::{engine::general_purpose::STANDARD, Engine};
+        use base64::{Engine, engine::general_purpose::STANDARD};
 
         let request = HttpStoreBlobRequest {
             data: STANDARD.encode(data),
@@ -178,7 +178,7 @@ impl NestGateHttpClient {
     ///
     /// Returns error if the HTTP request fails, blob not found, or response cannot be parsed.
     pub async fn retrieve(&self, reference: &str) -> Result<bytes::Bytes, NestGateHttpError> {
-        use base64::{engine::general_purpose::STANDARD, Engine};
+        use base64::{Engine, engine::general_purpose::STANDARD};
 
         let response = self
             .client
@@ -502,7 +502,7 @@ mod tests {
     #[cfg(feature = "live-clients")]
     #[tokio::test]
     async fn wiremock_retrieve_success() {
-        use base64::{engine::general_purpose::STANDARD, Engine};
+        use base64::{Engine, engine::general_purpose::STANDARD};
         use wiremock::matchers::{method, path};
         use wiremock::{Mock, MockServer, ResponseTemplate};
 

crates/rhizo-crypt-core/src/clients/songbird/client.rs

@@ -205,13 +205,13 @@ impl SongbirdClient {
             }
         };
 
-        if result.success {
-            if let Some(ref id) = result.service_id {
-                *self.service_id.write().await = Some(id.clone());
-                *self.state.write().await = ClientState::Registered;
-                *self.our_endpoint.write().await = Some(our_endpoint.to_string());
-                info!(service_id = %id, "Registered with Songbird mesh");
-            }
+        if result.success
+            && let Some(ref id) = result.service_id
+        {
+            *self.service_id.write().await = Some(id.clone());
+            *self.state.write().await = ClientState::Registered;
+            *self.our_endpoint.write().await = Some(our_endpoint.to_string());
+            info!(service_id = %id, "Registered with Songbird mesh");
         }
 
         Ok(result)