feat(daemon): Phase 5 — parallel re-promote + USN replay on warm load + background refresh timer (closes #93, #94, #95, #96)

[githubrobbi]

Closes #93. Closes #94. Closes #95. Closes #96.

Fixes four post-Phase-4 issues identified during the v0.5.80 reference-host validation: a 2.6× perf regression in the Phase 4 re-promote path (#93), two correctness bugs that served stale data on warm cache load (#94), the absence of a background USN refresh timer (#95), and silent-failure modes in the compact-cache loader that hid root causes from production logs (#96).

What's in this PR

Two commits on after-phase-4-fixes:

Commit	Issues	Files
89848e27d	#93 + env-var idle TTLs	index/mod.rs, index/tests.rs, cache/policy.rs
0c05791c7	#94, #95, #96	9 files in uffs-core and uffs-daemon

#93 — Parallelize Phase 4 re-promote

Replaced the serial for letter in needs_promote { spawn_blocking; await; swap; } loop in IndexManager::ensure_warm_for_dispatch with a tokio::task::JoinSet fan-out so per-letter body loads run concurrently in the blocking pool. Each closure is std::panic::catch_unwind-wrapped to preserve the letter identifier through panics.

Real-world impact. v0.5.80 reference host: 6-drive Phase 4 re-promote dropped from 15.1 s sequential to ~max(per-drive) parallel — matching the existing 5.7 s cold-boot WARM baseline that was already parallel.

Bonus: added UFFS_HOT_TO_WARM_IDLE_SECS / UFFS_WARM_TO_PARKED_IDLE_SECS / UFFS_PARKED_TO_COLD_IDLE_SECS env-var overrides cached via OnceLock so the 30 min Warm→Parked idle can be compressed for fast iteration:

UFFS_WARM_TO_PARKED_IDLE_SECS=360 \
UFFS_HOT_TO_WARM_IDLE_SECS=60 \
    uffs daemon start --drive C,D,E,F,G,M,S

#94 — USN replay on warm cache load + Phase 4 re-promote

The user's conceptual model:

Tier	USN replay needed?
COLD (full MFT scan)	No — IS the truth
WARM (cached snapshot)	Yes — stale by definition
Phase 4 re-promote	Yes — Parked snapshot from boot

Two bugs in v0.5.80 violated this:

1. compact_loader::try_compact_cache_hit returned the on-disk compact cache directly without USN replay. 5/7 drives at the v0.5.80 reference run served stale data.
2. DiskBodyLoader::load (Phase 4 re-promote) bypassed TTL entirely with load_compact_cache(letter, u64::MAX, 0, true). A daemon up for a week served week-old indices on every re-promote.

Fix

• New pub fn load_drive_with_usn_refresh(letter) in uffs-core/src/compact_loader.rs — Windows-conditional helper that goes through MftReader::read_index_cached → apply_usn_updates_to_fresh_index (existing infra), rebuilds compact, and submits a background compact-cache save. Non-Windows stub returns an anyhow error so callers fall back transparently.
• New RefreshTiming struct (mft / compact / trigram / total ms).
• compact_loader::load_drive — removed the try_compact_cache_hit fast-path bypass. Cold-boot WARM now always goes through MftIndex (cache + USN replay on Windows; offline-file is a no-op).
• DiskBodyLoader::load — primary path is now load_drive_with_usn_refresh; falls back to bare load_compact_cache if the helper errors (drive G error 1179, journal unavailable, non-Windows).

Cost. Cold-boot WARM at N=7 drives parallel moves from ~5.7 s to ~7–10 s (one-time per daemon start) per the issue's predicted budget.

#95 — Background USN refresh timer

A daemon up for an hour previously served 1-hour-stale data; up for a week, 1-week-stale. No background USN apply existed (uffs-daemon had zero USN references).

Fix

• New spawn_usn_refresh_controller task in lib.rs — ticks every UFFS_USN_REFRESH_INTERVAL_SECS (default 300 s = 5 min, env-var overridable). Mirrors spawn_idle_demote_controller's structure.
• New IndexManager::refresh_usn_for_warm_shards — three-phase read-lock detect → parallel JoinSet USN refresh → per-letter replace_warm_body Arc-swap. Mirrors the Phase 4 perf: parallelize re-promote in ensure_warm_for_dispatch (15.1s sequential → ~5s parallel) #93 parallelism pattern; catch_unwind-wrapped per closure. Aggregate refreshed/failed/total_ms emitted at info-level on target: "shard.refresh".
• New ShardRegistry::replace_warm_body(letter, body) — swaps the body of a Warm/Hot shard while preserving stats; returns rebuilt registry; emits reason = "usn-refresh" on target: "shard.transition".
• New cache::policy::USN_REFRESH_INTERVAL_SECS constant + UFFS_USN_REFRESH_INTERVAL_SECS env-var override cached via OnceLock.

#96 — Structured LoadCacheError

load_compact_cache previously returned Option<DriveCompactIndex> and silently collapsed eight failure modes into a single None. Production logs showed "compact cache miss" with no way to distinguish "file missing on first boot" from "decryption failed (key rotated)" from "stale by epoch" from "runtime tempfile collision".

Fix

• New pub enum LoadCacheError with variants for each path: Missing, StaleByTtl, StaleVsMft, StaleByEpoch, Io, KeyUnavailable, DecryptFailed, DecompressFailed, ParseError, RuntimeTempfile, Deserialize.
• load_compact_cache now returns Result<DriveCompactIndex, LoadCacheError>.
• is_compact_cache_fresh (bool) replaced by check_compact_cache_freshness (Result<(), LoadCacheError>).
• All callers updated to log the structured error at appropriate levels.

Tests

cargo test -p uffs-daemon -p uffs-core --lib → 157 passed, 0 failed (was 153 before; net +4 new tests).

Test	Coverage
ensure_warm_for_dispatch_promotes_in_parallel	#93 — SlowBodyLoader records peak in-flight; pins peak ≥ 2 and wall ≤ 1.5 × delay
read_env_secs_falls_back_when_env_unset	env-var override fallback contract
refresh_usn_for_warm_shards_no_op_when_empty	#95 — fast-path early-return
refresh_usn_for_warm_shards_no_op_when_no_warm_or_hot	#95 — Parked-only registry skips JoinSet
refresh_usn_for_warm_shards_handles_helper_errors_gracefully	#95 — cross-platform graceful failure

Lint gates

Gate	Status
cargo test -p uffs-daemon -p uffs-core --lib	157 passed
just lint-prod	clean
just lint-tests	clean
just check-windows	clean
lint-pre-push (rustdoc + doc-tests + smoke + xwin)	167 s ✅

Risk

Medium. The cold-boot path change (#94) adds ~2 s per drive of compact rebuild work, taking N=7-drive parallel cold-boot from ~5.7 s to ~7–10 s. This is a one-time cost per daemon start and is acceptable per the issue spec. The Phase 4 re-promote change is pure improvement (parallel + USN-refreshed). The USN refresh timer (#95) runs entirely in the background with catch_unwind per-drive isolation; per-drive failures don't cascade.

Manual Windows verify checklist

After merge, suggested steps on the v0.5.80 reference host:

1. Cold-boot WARM regression. daemon kill && daemon start --drive C,D,E,F,G,M,S. Look for target=shard.transition reason=promote lines and the new target=shard.transition "♻️ USN-refreshed body ready" lines (one per drive). Total parallel time should be ≤ 10 s.
2. Phase 4 re-promote regression. UFFS_WARM_TO_PARKED_IDLE_SECS=360 daemon start ..., wait ~6.5 min, run * query — observe parallel re-promote with USN deltas applied. Total should be < 5 s for N=6 drives (vs 15.1 s sequential pre-Phase 4 perf: parallelize re-promote in ensure_warm_for_dispatch (15.1s sequential → ~5s parallel) #93).
3. Background refresh tick. UFFS_USN_REFRESH_INTERVAL_SECS=60 daemon start ..., watch for target=shard.refresh "USN refresh tick complete" lines every minute with refreshed=N matching the Warm/Hot drive count.
4. Stale-cache detection. Touch a file; within one refresh interval the daemon search should return it.