fix(transport): proactive reconnect — detect peer-closed socket before sending

[lopadova]

Problem (observed on a real device)

Financial commands (verifyCard, pay…) INTERMITTENTLY fail with
Error: ECR17: transport disconnected during exchange, while safe commands
(status, totals) succeed — apparent "works once, fails next". Logs show each
failing command: sent → connecting → connected → error: transport disconnected.

Root cause

ECR17/Nexi terminals close the TCP socket between transactions. The drop was
detected only reactively: HybridEcr17Client::ensureConnected() saw
transport_->isConnected() return true for a half-open socket (the Kotlin
reader thread had not yet observed the EOF — a race), so the command was sent on
a dead socket. The read then failed mid-exchange; runTransaction's catch
reconnected and applied the money-safety RetryPolicy: safe/idempotent commands
were replayed (→ ok), but financial commands were (correctly) NOT replayed →
a FALSE "transport disconnected" surfaced. The reactive reconnect left a fresh
socket, so the user's next attempt landed on a good one → the alternation.

The money-safety behavior was correct; the bug was discovering the drop after
the send instead of before.

Fix — proactive (pre-send) detection

Make Kotlin isConnected() a synchronous, non-destructive liveness probe:
It peeks one byte on a PushbackInputStream with a tiny (1ms) read timeout and immediately pushes it back: a returned -1 (EOF) means the peer closed, a read timeout means the (idle) socket is alive. It never writes to the peer (unlike sendUrgentData, which can land an inline 0xFF before the next STX frame on terminals with SO_OOBINLINE and corrupt a financial command) and never consumes a protocol byte. It runs under ioLock so it cannot race the reader thread's read(). On a detected close the socket is marked dead + onDisconnect fires, so the existing ensureConnected() (called at the start of every command) reconnects before the send — every command starts on a verified-live socket.

• HybridEcr17Transport.kt — isConnected() liveness probe + markDropped().
• HybridEcr17Client.cpp — clarifying comment on the now-proactive ensureConnected().
• HybridEcr17Transport.swift — comment noting .ready parity + async caveat (best-effort, no iOS CI).
• docs/LESSON.md — the finding.

Money-safety (unchanged)

• RetryPolicy.hpp (financial commands never blindly retried) — untouched.
• sendLastResult ('G') recovery — untouched.
• Only the FALSE drop from a stale pre-send socket is removed; a genuine
  mid-exchange drop still surfaces and is recovered via 'G'.
• The probe fires onDisconnect (sets the session disconnected_ flag), but every
  exchange()/sendAckOnly() calls resetForNewTransaction() first, so it cannot
  poison the next real exchange.

Verification

• TS typecheck green locally. Native (C++/Kotlin) verified only by the manual
  Android build CI (dispatched on this branch).

🤖 Generated with Claude Code

LRC regression fix (included)

This PR also reverts a pre-existing LRC regression in package/cpp/Lcr/Lcr.cpp. The
ETX-folding switch had been changed from case LrcMode::NOEXT: to case LrcMode::STD:,
which is wrong per the LrcMode semantics:

• std — fold payload only (must not fold ETX)
• noext — fold payload + ETX (must fold ETX)
• stx / stx_noext — also fold STX

With the bug, the default std mode folded ETX, so every application frame carried a
wrong LRC (the terminal NAKs everything) and test_lrc failed. Restored to
case LrcMode::STX: case LrcMode::NOEXT: — cpp-tests green, runtime framing correct.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e557443123

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This PR addresses intermittent transaction failures caused by ECR17/Nexi terminals closing the TCP socket between transactions by adding a proactive (pre-send) connection liveness check, so commands start on a verified-live socket rather than discovering the drop mid-exchange.

Changes:

• Android: enhance isConnected() with a synchronous liveness probe (sendUrgentData) and add a drop-marking helper.
• C++/iOS: clarify the intended “pre-send liveness check” behavior via comments.
• Docs: capture the lesson learned and the rationale for the proactive probe.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
package/android/src/main/java/com/margelo/nitro/ecr17/HybridEcr17Transport.kt	Adds proactive socket liveness probing and a dropped-connection marker to avoid sending on half-open sockets.
package/cpp/Ecr17Client/HybridEcr17Client.cpp	Documents that ensureConnected() now relies on a proactive liveness probe before sending.
package/ios/HybridEcr17Transport.swift	Documents iOS parity expectations/limitations for the pre-send liveness check.
docs/LESSON.md	Records the real-device failure mode, root cause, and the proactive detection approach.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.