Summary

Robustness/correctness hardening for the driver IPC layer and the registry/client dialer. No wire-protocol or behavior changes for existing callers beyond added safety bounds.

Fixes

1. Stale IPC reply mis-correlation (client-side mitigation) — driver/ipc.go

The IPC wire protocol has no request IDs and the daemon dispatches requests concurrently, so a reply that arrives after its request timed out could be consumed by a later, unrelated request (wrong conn_id/result). Previously all replies funneled into one shared pending buffer that the next caller drained.

Now each sendAndWait registers a private, single-use waiter slot. readLoop delivers a reply only to the currently active waiter, and only when the reply cmd matches what that waiter expects (cmdError is always accepted). On timeout/disconnect the waiter is abandoned, so:

• a late reply arriving between requests finds no active waiter and is dropped;
• a stale reply arriving while a different request is in flight is dropped on cmd mismatch (the dangerous case — e.g. a dial reply landing on a health request).

Deferred: full cross-process ordering correctness needs daemon-side request IDs echoed in every reply (a coordinated daemon change + version bump). That is intentionally not done here and is marked TODO(PILOT). This client-side scheme only guarantees a late reply is not mis-delivered; it cannot recover the abandoned request's actual result, and two same-cmd replies remain indistinguishable without request IDs.

Regression test: TestLateReplyAfterTimeoutNotMisdelivered — confirmed to fail without the waiter cmd-match guard ("unexpected reply 0x0E") and pass with it.

2. DialAddr could hang forever — driver/driver.go

DialAddr used sendAndWait (no timeout). It now delegates to DialAddrTimeout with a 30s defaultDialTimeout. The other bounded sendAndWait callers — Listen and Broadcast — get the same bound. jsonRPC-based control ops keep the unbounded path because WaitForTrust legitimately blocks in the daemon.

3. Conn net.Conn conformance — driver/conn.go

• recvBuf is now guarded by a dedicated readMu so concurrent readers can't corrupt it (single-reader contract documented).
• SetWriteDeadline was a silent no-op; it is now implemented, backed by a writeDeadline checked before/between Write chunks. SetDeadline sets both read and write deadlines.
• Write godoc clarified: success means the bytes were enqueued to the local daemon over IPC, not transmitted/acknowledged by the peer.

4. Registry client dial timeouts — registry/client/client.go

Every initial net.Dial/tls.Dial (Dial, DialPool, DialTLS, DialTLSPool, initPool, DialTLSPinned) now uses a 5s dialTimeout (matching the existing reconnect paths) so startup/registry ops can't hang on an unreachable host.

5. Datagram send semantics — driver/driver.go

SendTo godoc made explicit: fire-and-forget; a nil return only means the frame was enqueued to the local daemon, not delivered. Semantics unchanged.

Validation

• GOWORK=off go build ./... — clean
• GOWORK=off go vet ./... — clean
• gofmt — all changed files clean
• GOWORK=off go test -race -parallel 4 ./... — all 15 packages pass
• gosec ./badgeverify/... — 0 issues (CI scope)
• govulncheck ./... — no vulnerabilities
• gitleaks detect — no leaks
• All fuzz targets (protocol, badgeverify, registry/wire) — pass (bounded runs)

Deferred work

Full request-ID protocol for IPC (daemon + driver, version-bumped) to make cross-process reply ordering provably correct. Tracked via TODO(PILOT) in driver/ipc.go.