docs(concurrency): add concurrency_policy.md + decompose daemon lib.rs (Phase 10g)

[githubrobbi]

What

Phase 10g + 10h close the Phase 10 audit chain (#302) with three atomic commits:

1. docs(concurrency) — workspace concurrency policy doc + per-crate # Concurrency rustdoc + CONTRIBUTING cross-link.
2. refactor(daemon) — decompose uffs-daemon/src/lib.rs (1066 LOC → 689 LOC) into log_init/startup/shutdown sibling modules; remove the now-obsolete file_size_exceptions.txt entry.
3. docs(concurrency) — closeout: §0 The model at a glance (the playbook §1142-1146 headline pass criterion), §6 Spawn-site registry (the 18-prod-site inventory), 3 named await_holding_* clippy entries pinned at deny, and a bulk_per_crate helper that brings concurrency_audit.sh under the < 5 s acceptance bar.

Commit 1 — docs(concurrency)

Creates docs/architecture/code-quality/concurrency_policy.md — the 7th companion to the existing 6 code-quality policy docs (panic, allocation, trait, dependency, build/codegen, lint-posture).

Codifies the five concurrency dimensions:

• Task ownership (T1/T2/T3 with required four-facet annotation: parent / shutdown / errors / cancellation).
• Lock discipline (L1-L5 patterns; L6 lock-across-await forbidden; enforced by three await_holding_* clippy lints at deny).
• Channel discipline (C1-C5; C6 undocumented-unbounded forbidden).
• Timeout policy (W1-W4; W5 unbounded cross-process await forbidden).
• Blocking-IO rule (B1-B4; B5 unbounded sync I/O on async runtime worker forbidden).

Plus shutdown coordination, required annotation templates, per-crate posture matrix, verification steps, anti-patterns, and the Phase 10 audit trail cross-linking PRs #303-#307 and the local per-dimension audit docs in docs/dev/baseline/2026-05-19/.

Per-crate # Concurrency rustdoc sections added to:

• uffs-daemon/src/lib.rs — runtime model + the six named spawn_* constructors that form the daemon's startup graph.
• uffs-mcp/src/lib.rs — stdio dispatcher / streamable-http axum server / daemon-bridge reader-loop + reload-pipeline-is-CLI-one-shot note.
• uffs-client/src/lib.rs — hybrid async + sync runtime model + the deliberate 300 s async vs 60 s env-overridable sync timeout asymmetry documented in phase_10_timeout_coverage_audit.md.
• uffs-mft/src/lib.rs — predominantly sync library + CLI binary; tokio only for daemon-embedded spawn_blocking MFT reads.

CONTRIBUTING.md gets a ## Concurrency policy section quoting the one-line rule, listing the five dimensions with their taxonomies, and cross-linking the policy doc.

Commit 2 — refactor(daemon)

crates/uffs-daemon/src/lib.rs was 1066 LOC (266 over the 800-LOC file-size policy ceiling). The existing rationale comment argued against splitting the spawn_* cluster because doing so would fragment the parent-task lifetime relationships — and that argument still holds. But the orchestrator's setup and terminal phases have no such coupling and can move out cleanly.

Three extractions:

• log_init.rs (105 LOC, new) — init_tracing + default_log_file. No collision with the tracing crate because the module is named log_init. pub use log_init::init_tracing; re-export preserves the public API exactly.
• startup.rs (238 LOC, new) — pre-spawn helpers: install_catastrophe_panic_hook, log_daemon_starting, emit_daemon_starting_event, load_daemon_config, bootstrap_lifecycle_manager, gather_mft_files, drive_letter_matches (+ windows / non-windows variants of resolve_drive_list), validate_data_sources. All pub(crate). drive_letter_matches upgraded to pub(crate) (was private) so the existing regression-pin test in tests.rs can still exercise it directly — preserved by updating the import to super::startup::drive_letter_matches;.
• shutdown.rs (84 LOC, new) — await_shutdown_then_force_exit + force_exit_with_watchdog. All pub(crate).

lib.rs after:

• 689 LOC (was 1066) — under the 800-LOC ceiling without an exception.
• Keeps the spawn_* cluster cohesive.
• Keeps DaemonConfig (public struct) and run_daemon (public orchestrator) for binary + embedded use.
• Removed the obsolete Exception: file_size_policy allows this file to exceed 800 LOC rationale comment from the crate-root rustdoc.

scripts/ci/file_size_exceptions.txt — removed the now-obsolete crates/uffs-daemon/src/lib.rs|PERMANENT: … entry.

Commit 3 — docs(concurrency) closeout

Closes the 4 gaps surfaced by the Phase 10 fidelity audit against the playbook §1142-1146 pass criteria + plan §2 acceptance criteria.

§0 The model at a glance (AC3 + playbook P3)

Adds the headline pass criterion ("concurrency model can be explained on one page") to concurrency_policy.md:

• Daemon task graph — Mermaid diagram with 11 nodes covering the 6 top-level spawn_* constructors + 2 subsystem-internal spawns + per-connection handle_connection + writer/notification sub-tasks.
• Shard-state lifecycle table — 6 states (Unknown/Cold/Parked/Warm/Hot/Evicting) with bloom/trie/body presence + entry triggers; cross-links ShardState::can_transition_to. Documents the two demote drivers (idle-TTL + memory-pressure cascade) and the Mac/Linux platform-no-op note.
• IPC-request lifecycle — 4 numbered steps: accept → per-connection task → reader/writer/notifier → per-RPC timeout.
• Shutdown sequence — 5 numbered steps: signal source → IPC drain → load drain (3 s timeout) → PID + socket cleanup → force-exit watchdog (5 s) + process::exit(0).

Word count: ~520 prose words + 1 Mermaid + 1 sub-table — under the 600-word budget per plan §3 risk register.

§6 Spawn-site registry (AC2 + AC6)

Adds the workspace-tracked enumeration of all 18 prod tokio::spawn( sites with the four required facets (owner / shutdown / errors / cancel). The table is keyed by group (A = top-level, B = subsystem long-lived, C = per-connection, D = sub-task, E = one-shot, F = runtime-cleanup / external) and references the source-of-truth hand-audit at docs/dev/baseline/2026-05-19/phase_10_task_ownership_inventory.md (local-only).

Adding a new prod spawn site now requires a matching row in the same PR — the audit-script §2 count is the gate; new spawn with no registry row fails review.

Renumbering: §6 (was Verification) → §7, §7 → §8, §8 → §9 to preserve narrative flow (policy → posture → registry → verification → anti-patterns → audit trail). No external references to the old numbers exist (verified via workspace grep).

Named await_holding_* clippy entries

Pins all 3 lints from clippy's suspicious group at deny in the workspace Cargo.toml:

[workspace.lints.clippy]
await_holding_lock         = "deny"
await_holding_refcell_ref  = "deny"
await_holding_invalid_type = "deny"

Effectively no behavior change — they were at warn-by-default, promoted to error via the workspace's CI -D warnings flag. The named entries make the policy doc's enforcement claim literal and survive any future tightening of the --deny warnings shape. An inline comment block at the entries cross-links concurrency_policy.md §1.

Also fixes a leaked absolute path in the policy doc (line 36 was @/Users/rnio/Private/Github/UltraFastFileSearch/Cargo.toml — now just Cargo.toml).

concurrency_audit.sh < 5 s (AC5)

Adds bulk_per_crate helper that runs one rg invocation per pattern across all of crates/ and buckets per-file counts into per-crate totals via awk + a bash nameref (local -n). Replaces the prior N-crates × M-patterns nested loop (~126 rg invocations for §1 alone, ~1.5 s of process-spawn overhead).

Wall-time impact: 6.24 s → 4.54 s (verified locally). Output is byte-identical (modulo the Captured: ISO timestamp).

Requires bash 4.3+ for nameref — script shebang is #!/usr/bin/env bash; macOS brew bash ships 5.x; CI runners are Ubuntu 22.04+ with bash 5.x by default.

Phase 10 final report (G3, local-only)

Adds docs/dev/baseline/2026-05-20/phase_10_final_report.md — mirrors phase_9_final_report.md cadence (gitignored under docs/dev/baseline/). ~290 LOC covering executive summary, per-dimension outcome table, 10-item change summary, 8-of-8 acceptance scorecard, G2 test-coverage audit (verdict: no real gap; soak/stress deferred to Phase 12 per plan §0.3), risk-register outcomes (6 of 6 mitigations consumed without incident), cross-references, verification, 10-entry decisions log, and Phase 10 closure note.

G2 test-coverage audit — verdict

Audited the existing test corpus against the playbook §1134-1140 testing dimensions. No gap found. Existing coverage:

• Cancellation tests: cache/journal_loop/tests/basics.rs::cancel_exits_within_convergence_deadline + 12 other journal-loop tests using handle.cancel() + bounded-timeout assertions.
• Shutdown tests: 4 daemon integration tests use nonce-gated shutdown RPC + shutdown_daemon helper.
• Backpressure tests: 4 threshold tests + 1 end-to-end 10 000-event drain test.
• Subsystem cancellation tests: pressure_subscriber_drains_warm_cascade_on_low_and_no_ops_on_high (A6), idle_demote_tracing (A5), wait_for_in_flight_clear (F1).
• Stress / soak: deferred to Phase 12 (perf characterization) per plan §0.3 — no hot-path contention was found in Phase 10b to motivate earlier introduction.

No test additions required.

Rule-1 adherence

• Zero #[allow(...)] introductions.
• No suppression hacks, no skipped tests, no lint disables.
• No public API change — uffs_daemon::{init_tracing, run_daemon, DaemonConfig} resolve to the same items as before via the pub use log_init::init_tracing; re-export.
• Doc-link references to private items demoted to backtick text references (not [...] intra-doc links) so cargo doc -D rustdoc::broken-intra-doc-links stays clean on the public surface.

Verification

Local (at closing commit):

• cargo fmt --all — clean.
• cargo clippy --workspace --all-targets -- -D warnings — clean (now also enforcing 3 named await_holding_* lints at deny).
• cargo test -p uffs-daemon --lib — 298 passed / 0 failed.
• cargo test -p uffs-daemon (full incl. integration + doctests) — clean (4 ignored require pre-built daemon binary; 2 doctests ignored by design).
• bash scripts/ci/check_file_size_policy.sh — clean.
• RUSTDOCFLAGS="-D warnings -D rustdoc::broken-intra-doc-links" cargo doc --workspace --no-deps — clean.
• bash scripts/dev/concurrency_audit.sh > /tmp/audit.md — 4.54 s (was 6.24 s pre-optimization), 321-line Markdown output.
• Pre-commit lint-fast — all 7 stages passed (file-size / typos / reuse / taplo / ...).
• Pre-push lint-pre-push — all 17 stages passed in 132 s (includes rustdoc, doctests, tests, smoke, lint-ci-windows).

Acceptance scorecard

All 8 of 8 plan §2 ACs + 3 of 3 playbook §1142-1146 P-criteria green:

#	Criterion	Status	Evidence
AC1	No lock-across-await hazards	✅	PR #304 (2 of 36 refactored to L5) + 3 named clippy deny entries (this PR commit 3)
AC2	Task lifecycle explicit + full inventory	✅	concurrency_policy.md §6 enumerates 18 prod sites
AC3	One-page concurrency model	✅	concurrency_policy.md §0 (~520 prose words + 1 Mermaid + 1 sub-table)
AC4	Backpressure + timeout posture intentional	✅	PRs #306 (channels) + 10e findings (timeouts, folded into §2.4)
AC5	concurrency_audit.sh < 5 s	✅	4.54 s wall (was 6.24 s; bulk_per_crate helper)
AC6	Policy doc has 7 required sections	✅	§0 model + §6 registry + §2.2/§2.3/§2.4/§2.5 + §3 shutdown
AC7	CONTRIBUTING.md cross-link	✅	## Concurrency policy section (commit 1)
AC8	Per-crate # Concurrency rustdoc	✅	uffs-daemon + uffs-mft + uffs-mcp + uffs-client lib roots (commit 1)
P1	No lock-across-await hazards remain	✅	= AC1
P2	Task lifecycle explicit at every spawn site	✅	= AC2
P3	Concurrency model explainable on one page	✅	= AC3

Tracking

Refs #302 (Phase 10 umbrella) — closes on merge.

• Phase 10g + 10h delivered as a single PR per plan §0.3 ("if 10g and 10h are scoped tight, fold 10h into the 10g PR rather than a separate one").
• The Phase 10 final report (docs/dev/baseline/2026-05-20/phase_10_final_report.md) lives local-only per the docs/dev/baseline/ gitignore convention; SHA + close note will be linked from the umbrella issue at merge.