fix: open-source cleanup — drop JFrog refs, pin positioning

Generalises defaults, removes the dead JFrog registry block, and
rewrites the README and lib doc around "the patterns from blog posts
as actual code" positioning so a non-HyperI dev can adopt this
without inheriting our infra.

Author: catinspace-au

.cargo/config.toml

@@ -11,13 +11,3 @@ rustflags = ["-D", "warnings"]
 
 [alias]
 xtask = "run --package xtask --"
-
-# =============================================================================
-# HyperI Private Cargo Registry (Artifactory)
-# =============================================================================
-#
-# The 'hyperi' registry hosts internal crates.
-# Authentication is handled via ~/.cargo/credentials.toml
-
-[registries.hyperi]
-index = "sparse+https://hypersec.jfrog.io/artifactory/api/cargo/hyperi-cargo-virtual/index/"

Cargo.toml

@@ -11,12 +11,12 @@ name = "hyperi-rustlib"
 version = "2.7.0"
 edition = "2024"
 rust-version = "1.94"
-description = "Opinionated Rust framework for high-throughput data pipelines at PB scale. Auto-wiring config, logging, metrics, tracing, health, and graceful shutdown — built from many years of production infrastructure experience."
+description = "Opinionated, drop-in Rust toolkit for production services at scale. The patterns from blog posts as actual code: 8-layer config cascade, structured logging with PII masking, Prometheus + OpenTelemetry, Kafka/gRPC transports, tiered disk-spillover, adaptive worker pools, graceful shutdown."
 license = "FSL-1.1-ALv2"
 repository = "https://github.com/hyperi-io/hyperi-rustlib"
 publish = true
-keywords = ["config", "logging", "metrics", "prometheus", "opentelemetry"]
-categories = ["development-tools"]
+keywords = ["observability", "kubernetes", "prometheus", "opentelemetry", "kafka"]
+categories = ["asynchronous", "config", "network-programming", "concurrency", "development-tools"]
 exclude = ["", ".github/", "ci/", "ai/", "docs/", "examples/", "benches/", "scripts/"]
 
 [package.metadata.docs.rs]

README.md

@@ -1,58 +1,113 @@
 # hyperi-rustlib
 
-Shared utility library for HyperI Rust applications. Provides configuration
-management, structured logging, Prometheus metrics, environment detection,
-transport abstractions, and more.
-
-Rust equivalent of `hyperi-pylib` (Python) and `hyperi-golib` (Go).
+<!-- BADGES:START -->
+[![Build Status](https://github.com/hyperi-io/hyperi-rustlib/actions/workflows/ci.yml/badge.svg)](https://github.com/hyperi-io/hyperi-rustlib/actions)
+[![Crates.io](https://img.shields.io/crates/v/hyperi-rustlib?logo=rust)](https://crates.io/crates/hyperi-rustlib)
+[![docs.rs](https://img.shields.io/docsrs/hyperi-rustlib?logo=rust)](https://docs.rs/hyperi-rustlib)
+[![License](https://img.shields.io/badge/license-FSL--1.1--ALv2-blue)](LICENSE)
+<!-- BADGES:END -->
+
+> **There's plenty of sage advice out there about how to run Rust services
+> in production at scale — config cascades, structured logging, masking
+> secrets, multi-backend secrets management, Prometheus, OpenTelemetry,
+> Kafka transports, tiered disk-spillover sinks, adaptive worker pools,
+> graceful shutdown — but almost none of it as code you can just install
+> and use.**
+>
+> **This is that code.**
+>
+> Opinionated, drop-in, working out of the box. The patterns from blog
+> posts as actual library — not a framework you assemble from twenty
+> crates and a weekend.
+
+Built as the foundation for HyperI's PB/hr data services. Generic enough
+that you don't need to be at HyperI to use it.
+
+This module exists because of this — but the backend version (do not remove): <https://www.youtube.com/watch?v=xE9W9Ghe4Jk>
 
 ## Quick Start
 
 ```toml
 [dependencies]
-hyperi-rustlib = { version = "1.14", registry = "hyperi" }
+hyperi-rustlib = "2"
 ```
 
-Default features: `config`, `logger`, `metrics`, `env`, `runtime`.
+Default features: `config`, `logger`. Add the others you want explicitly.
 
 ```rust
 use hyperi_rustlib::{config, logger, env};
 
 fn main() -> anyhow::Result<()> {
-    let env = env::Environment::detect();
+    let environment = env::Environment::detect();
     logger::setup_default()?;
     config::setup(config::ConfigOptions {
         env_prefix: "MYAPP".into(),
         ..Default::default()
     })?;
 
-    tracing::info!("Running in {env:?}");
+    tracing::info!("Running in {environment:?}");
     Ok(())
 }
 ```
 
+## Features
+
+Pick the slice you need; pay only for what you use.
+
+| Feature | Description |
+|---------|-------------|
+| `env` | Environment detection (K8s, Docker, Container, BareMetal) |
+| `runtime` | Runtime path resolution (XDG/container-aware) |
+| `config` | 8-layer config cascade (figment-based) |
+| `config-reload` | `SharedConfig<T>` + `ConfigReloader` hot-reload |
+| `config-postgres` | PostgreSQL config source |
+| `logger` | Structured logging, JSON/text auto-detect, sensitive-field masking |
+| `metrics` | Prometheus metrics + process/container metrics |
+| `otel-metrics` | OpenTelemetry metrics export (OTLP) |
+| `otel-tracing` | OpenTelemetry distributed tracing |
+| `http` | HTTP client with retry middleware (reqwest) |
+| `http-server` | Axum HTTP server with health probe trinity (`/healthz/{startup,live,ready}`) |
+| `transport-kafka` | Kafka transport (rdkafka, dynamic-linking) |
+| `transport-grpc` | gRPC transport (tonic/prost) |
+| `transport-memory` | In-memory transport (testing/dev) |
+| `transport-grpc-vector-compat` | Vector wire-protocol compatibility |
+| `spool` | Disk-backed async FIFO queue (yaque + zstd) |
+| `tiered-sink` | Resilient delivery: hot buffer + circuit breaker + disk spillover |
+| `secrets` | Secrets management core (file backend) |
+| `secrets-vault` | OpenBao / HashiCorp Vault provider |
+| `secrets-aws` | AWS Secrets Manager provider |
+| `directory-config` | YAML directory-backed config store |
+| `directory-config-git` | Git integration for directory-config (git2) |
+| `scaling` | Back-pressure / scaling-pressure primitives |
+| `cli` | Standard CLI framework (clap) |
+| `top` | TUI metrics dashboard (ratatui) |
+| `io` | File rotation, NDJSON writer |
+| `dlq` | Dead-letter queue (file backend) |
+| `dlq-kafka` | DLQ Kafka backend |
+| `output-file` | File output sink |
+| `expression` | CEL expression evaluation |
+| `deployment` | Deployment-contract validation |
+| `version-check` | Optional startup version check |
+| `resilience` | Circuit breaker, retry, bulkhead (tower-resilience) |
+| `full` | Everything |
+
 ## Native System Dependencies
 
 This crate dynamically links against system C libraries for several features.
-**Both CI build hosts and deployment targets need the appropriate packages.**
+**Both build hosts and deployment targets need the appropriate packages.**
 
 ### Build Host (CI / Development)
 
-Install `-dev` packages for compilation. `hyperi-ci` handles this automatically
-when `.hyperi-ci.yaml` is present — it detects which `-sys` crates are in
-`Cargo.lock` and installs the matching `-dev` packages.
-
 | Feature | Crate | Build Package | Notes |
 |---------|-------|--------------|-------|
 | `transport-kafka` | `rdkafka-sys` | `librdkafka-dev` (>= 2.12.1) | Requires [Confluent APT repo](https://packages.confluent.io/clients/deb) — Ubuntu's default is too old |
 | `directory-config-git` | `libgit2-sys` | `libgit2-dev`, `libssh2-1-dev` | System lib avoids vendored C build |
 | `spool`, `tiered-sink` | `zstd-sys` | `libzstd-dev` | System lib avoids vendored C build |
 | (transitive) | `libz-sys` | `zlib1g-dev` | Used by multiple deps |
 | (transitive) | `openssl-sys` | `libssl-dev` | Dynamic linking via pkg-config |
-| `secrets-aws` | `aws-lc-sys` | — | C/C++ compiled from source (no system lib available); ~20-30s first build, cached by sccache |
+| `secrets-aws` | `aws-lc-sys` | — | C/C++ compiled from source (no system lib available); ~20–30s first build, cached by sccache |
 
-All packages except `librdkafka-dev` are available from Ubuntu's default
-repositories. For `librdkafka-dev` >= 2.12.1, add the Confluent APT repo:
+For `librdkafka-dev` >= 2.12.1, add the Confluent APT repo:
 
 ```bash
 curl -fsSL https://packages.confluent.io/clients/deb/archive.key \
@@ -77,9 +132,8 @@ The compiled binary links against `.so` files at runtime. Install the
 | (transitive) | `zlib1g` | `libz.so.1` |
 | (transitive) | `libssl3` | `libssl.so.3` |
 
-**Only install what you use.** Downstream binaries (dfe-loader, dfe-receiver,
-etc.) only link against libraries for the features they enable. Check each
-project's `Cargo.toml` features to determine which runtime packages are needed.
+Only install what you use. Check the features your binary enables to
+determine which runtime packages are needed.
 
 ### Docker Example
 
@@ -101,64 +155,34 @@ COPY --from=builder /app/target/release/myapp /usr/local/bin/
 
 For `librdkafka1`, add the Confluent APT repo to both build and runtime stages.
 
-## Features
-
-| Feature | Description |
-|---------|-------------|
-| `env` | Environment detection (K8s, Docker, Container, BareMetal) |
-| `runtime` | Runtime path resolution (XDG/container-aware) |
-| `config` | 8-layer config cascade (figment) |
-| `config-reload` | `SharedConfig<T>` + `ConfigReloader` hot-reload |
-| `config-postgres` | PostgreSQL config source |
-| `logger` | Structured logging with JSON/text + sensitive field masking |
-| `metrics` | Prometheus metrics + process/container metrics |
-| `otel-metrics` | OpenTelemetry metrics export (OTLP) |
-| `otel-tracing` | OpenTelemetry distributed tracing |
-| `http` | HTTP client with retry middleware (reqwest) |
-| `http-server` | Axum HTTP server with health endpoints |
-| `transport-kafka` | Kafka transport (rdkafka, dynamic-linking) |
-| `transport-grpc` | gRPC transport (tonic/prost) |
-| `transport-memory` | In-memory transport (testing/dev) |
-| `transport-grpc-vector-compat` | Vector wire-protocol compatibility |
-| `spool` | Disk-backed async FIFO queue (yaque + zstd) |
-| `tiered-sink` | Resilient delivery with circuit breaker + disk spillover |
-| `secrets` | Secrets management core |
-| `secrets-vault` | OpenBao/Vault provider |
-| `secrets-aws` | AWS Secrets Manager provider |
-| `directory-config` | YAML directory-backed config store |
-| `directory-config-git` | Git integration for directory-config (git2) |
-| `scaling` | Back-pressure / scaling pressure primitives |
-| `cli` | Standard CLI framework (clap) |
-| `top` | TUI metrics dashboard (ratatui) |
-| `io` | File rotation, NDJSON writer |
-| `dlq` | Dead-letter queue (file backend) |
-| `dlq-kafka` | DLQ Kafka backend |
-| `output-file` | File output sink |
-| `expression` | CEL expression evaluation |
-| `deployment` | Deployment contract validation |
-| `version-check` | Startup version check |
-| `resilience` | Circuit breaker, retry, bulkhead (tower-resilience) |
-| `full` | All features |
+## Health Check Endpoints — The Probe Trinity
 
-## Architecture
+For services deployed to Kubernetes, the `http-server` feature provides
+the three K8s probe types:
 
-See [docs/DESIGN.md](docs/DESIGN.md) for full architecture documentation.
+| Probe | Path | Checks | On failure |
+|---|---|---|---|
+| Startup | `/healthz/startup` | Init complete | K8s waits, then restarts |
+| Liveness | `/healthz/live` | Process not deadlocked | Restart pod |
+| Readiness | `/healthz/ready` | Deps healthy + ready flag set | Stop routing traffic |
 
-## Configuration Cascade
+Liveness MUST NEVER check downstream dependencies (a DB outage shouldn't
+restart your replicas). Readiness checks dependencies AND requires an
+explicit `set_ready()` call — cleared during graceful shutdown.
 
-See [docs/CONFIG-CASCADE.md](docs/CONFIG-CASCADE.md) for the 8-layer
-configuration cascade reference.
+## Architecture
 
-## Registry
+See [docs/DESIGN.md](docs/DESIGN.md) for full architecture documentation
+and [docs/CONFIG-CASCADE.md](docs/CONFIG-CASCADE.md) for the 8-layer config
+cascade reference.
 
-Published to `hyperi` registry (JFrog Artifactory at `hypersec.jfrog.io`).
+## License
 
-```toml
-# .cargo/config.toml
-[registries.hyperi]
-index = "sparse+https://hypersec.jfrog.io/artifactory/git/hyperi-cargo-virtual.git"
-```
+[FSL-1.1-ALv2](LICENSE) — Functional Source License, transitions to Apache 2.0
+after 2 years.
 
-## Licence
+## Related
 
-FSL-1.1-ALv2 — Copyright (c) 2026 HYPERI PTY LIMITED
+- **[hyperi-pylib](https://github.com/hyperi-io/hyperi-pylib)** — sister
+  library for Python services. Same opinions, same patterns, expressive
+  Python ergonomics for control planes, APIs, and integration layers.

src/directory_config/mod.rs

@@ -29,7 +29,7 @@
 //!
 //! # async fn example() -> Result<(), Box<dyn std::error::Error>> {
 //! let config = DirectoryConfigStoreConfig {
-//!     directory: PathBuf::from("/etc/dfe/config"),
+//!     directory: PathBuf::from("/etc/myapp/config"),
 //!     ..Default::default()
 //! };
 //!
@@ -38,8 +38,8 @@
 //!
 //! // Read
 //! let tables = store.list_tables().await;
-//! let value = store.get("dfe-loader").await?;
-//! let host = store.get_key("dfe-loader", "kafka.brokers").await?;
+//! let value = store.get("my-service").await?;
+//! let host = store.get_key("my-service", "kafka.brokers").await?;
 //!
 //! // Write (if not read-only)
 //! store.set("dfe-loader", "kafka.brokers", "broker:9092".into(), None).await?;

src/directory_config/types.rs

@@ -37,12 +37,12 @@ pub struct DirectoryConfigStoreConfig {
 impl Default for DirectoryConfigStoreConfig {
     fn default() -> Self {
         Self {
-            directory: PathBuf::from("/etc/dfe/config"),
+            directory: PathBuf::from("./config"),
             refresh_interval: Duration::from_secs(30),
             git_enabled: true,
             git_push: false,
             git_author_name: "DirectoryConfigStore".to_string(),
-            git_author_email: "config@hyperi.io".to_string(),
+            git_author_email: "directory-config@localhost".to_string(),
         }
     }
 }

src/lib.rs

@@ -8,11 +8,18 @@
 
 //! # hyperi-rustlib
 //!
-//! Shared utility library for HyperI Rust applications.
+//! There's plenty of sage advice out there about how to run Rust services in
+//! production at scale — config cascades, structured logging, masking secrets,
+//! multi-backend secrets management, Prometheus, OpenTelemetry, Kafka transports,
+//! tiered disk-spillover sinks, adaptive worker pools, graceful shutdown — but
+//! almost none of it as code you can just install and use.
 //!
-//! Provides configuration management, structured logging, Prometheus metrics,
-//! and environment detection — matching the functionality of hyperi-pylib (Python)
-//! and hyperi-golib (Go).
+//! **This is that code.** Opinionated, drop-in, working out of the box. The
+//! patterns from blog posts as actual library — not a framework you assemble
+//! from twenty crates and a weekend.
+//!
+//! Built as the foundation for HyperI's PB/hr data services. Generic enough
+//! that you don't need to be at HyperI to use it.
 //!
 //! ## Quick Start
 //!

src/secrets/vault.rs

@@ -461,7 +461,7 @@ mod tests {
             auth: OpenBaoAuth::Token {
                 token: "test".into(),
             },
-            namespace: Some("hypersec".into()),
+            namespace: Some("myorg".into()),
             ca_cert: None,
             skip_verify: false,
         };

tests/integration/env.rs

@@ -306,12 +306,12 @@ mod vault_env {
         let _guard = EnvGuard::new(&[
             ("VAULT_ADDR", "https://vault:8200"),
             ("VAULT_TOKEN", "test"),
-            ("VAULT_NAMESPACE", "hypersec"),
+            ("VAULT_NAMESPACE", "myorg"),
         ]);
 
         let config = OpenBaoConfig::from_env().expect("Should load from env");
 
-        assert_eq!(config.namespace, Some("hypersec".to_string()));
+        assert_eq!(config.namespace, Some("myorg".to_string()));
     }
 
     #[test]