materializeDefaults now sets CKA_ENCRYPT/DECRYPT/SIGN/VERIFY/SIGN_RECOVER/VERIFY_RECOVER/WRAP/UNWRAP/DERIVE (plus ALWAYS_AUTHENTICATE for private keys) to CK_FALSE when absent, per CKO_PUBLIC_KEY/PRIVATE_KEY/SECRET_KEY; smoke sets the RSA wrap and recover usage flags.
build_module printed (ReleaseSafe) but ran plain 'zig build', which is Debug here (preferred_optimize_mode only ships ReleaseSafe with --release). It left a 20M Debug .so labeled as the shipped build, and 'zig build smoke' would reinstall Debug over any ReleaseSafe artifact via its install-step dependency.
Run build + test + smoke with --release=safe so the script produces and validates the real 5.9M shipped artifact end to end. Kept check-only (no dependency auto-install): missing deps still hard-fail/warn with the exact apt command.
Verified: ./install.sh exits 0 on a clean tree, final zig-out/lib/libhsm.so is 5.9M ReleaseSafe, tests + smoke pass, pkcs11-tool loads it.
learn/: add 00-OVERVIEW, 01-CONCEPTS, 02-ARCHITECTURE, 03-IMPLEMENTATION, 04-CHALLENGES, and MECHANICS (the byte-by-byte crypto deep-dive). CONFORMANCE shipped in M11. Real-breach grounding, function/file code refs (no line numbers), no AI voice.
Project README: flip M0-stale to real M0-M11 (21 mechanisms, std.Io.randomSecure, roadmap done through M12, learn/ link table).
Root README: graduate HSM to a completed project (Full Source Code 32->33, C badge -> Zig, title + footer now link to source and learn/).
Verified docs-only: zig build test and zig build smoke both exit 0, smoke mechanisms=21, objdump -T shows only C_GetFunctionList. No source changed.