[codec][P2/P3] Hygiene: --locked, toolchain pin, brotli-wasm pin, engines, crates.io, dead variants

[ignromanov]

Re-audit 2026-05-29 (PR #7). Opportunistic hardening; none block merge.

• CI cargo build/test omit --locked (ci.yml:27) — committed Cargo.lock not enforced.
• rust-toolchain.toml (1.85.0) not honored in CI — floating stable used (ci.yml).
• rust-cache emits "could not find Cargo.toml" exit-101 ×2 at workspace root (ci.yml:19) — non-fatal, disables caching + masks signal.
• brotli-wasm ^3.0.1 unpinned → wire-byte determinism risk for a perpetual codec (receiptHash safe; wire URLs not).
• engines.node >=24 (codec) vs >=18 (types/networks/brotli-wasm) — narrows adoption with no stated reason.
• PF-3 crates.io reserve + Rust crate publishability (cargo publish --dry-run, license-file, excluded test/vector bloat) unverified.
• 3 dead CodecError variants (SignatureInvalid, DictionaryMismatch, CompressionFailed); salt-length/missing-salt reported as ChecksumMismatch (taxonomy overlap).
• WASM gzip ~95.7% of locked 80KB cap (~3.5KB headroom) — watch.
• Token-list liveness in a 'perpetual' surface: tokens.ts logoURI → Uniswap master CDN; chains.ts rpcUrls[0] → llamarpc.
• 4 dead golden vectors (loaded by no test); malformed-non-canonical-varint vector hits the Overflow path, not the non-canonical-varint branch it claims (vectors/v4-codec.json).

Source: 43-agent audit dimensions + completeness critic.

[ignromanov]

Status after PR #7 merge (15ad9cf, 2026-05-29). Hygiene items verified still open on main: cargo build/cargo test in ci.yml (lines 27-28) still omit --locked; 3 dead CodecError variants (DictionaryMismatch, SignatureInvalid, CompressionFailed) still present in error.rs; WASM gzip 78,412 / 81,920 (~4.3% headroom) — watch holds. Partial: one stale malformed vector dropped in d202d43. Remainder carries into Phase 3.