fix(daemon): self-terminate on lock-file inode mismatch

[ALRubinger]

Summary

Resolves finding 3b from #528 — the singleton-invariant violation observed during #454 Test 6 (three concurrently-running daemons each holding flock on a different inode).

flock(2) is held against an open file descriptor, which pins the inode — not the path. An external rm -rf ~/.aileron (or any unlink + recreate at the same path) leaves a running daemon flock'd against an orphaned inode while a fresh daemon flock's a brand-new inode at the same path. Both processes hold valid locks on different underlying inodes and neither knows the other exists.

Approach

1. Capture the inode of daemon.lock at startup, immediately after discovery.Lock returns (internal/server/main.go).
2. Watcher goroutine stats the path every lockInodeWatchInterval (5 s in production, overrideable for tests). When the inode changes — or the file is unlinked — it closes a inodeMismatch channel. The daemon's main select picks up the signal and initiates clean shutdown.
3. Skip discovery.Remove on the inode-mismatch shutdown path: daemon.json and daemon.pid now belong to the daemon that took over, and removing them would erase its advertisement. Tracked via an atomic.Bool set just before shutdown.

New helper: discovery.LockFileInode(stateDir) (uint64, error) — wraps os.Stat + syscall.Stat_t.Ino so the daemon can probe the path without exposing platform internals at the call site. Returns the wrapping os.ErrNotExist when the file has been unlinked.

Test plan

• discovery.TestLockFileInode_StableThenChangesAfterUnlinkRecreate — pins the inode contract: stable across calls; ENOENT after unlink; fresh inode after re-creation. This is the empirical underpinning of 3b.
• server.TestRun_LockInodeMismatchTriggersShutdown — end-to-end: daemon starts, external rm + recreate of daemon.lock, watcher detects within ~50 ms (test interval), run() returns nil, daemon.json/daemon.pid are intact.
• server.TestWatchLockInode_FileDisappeared — ENOENT branch: unlink-but-no-recreate also triggers shutdown.
• server.TestWatchLockInode_StopsOnContextCancel — leak prevention: watcher exits cleanly on ctx cancel and does not falsely fire the trigger.
• All existing server / discovery / spawn tests still pass.
• Coverage on watchLockInode: 88.2% (only uncovered: transient stat-error fallthrough, log.Warn + continue).

Notes

• 5 s poll is conservative; the failure mode (concurrent daemons) is hours-long, so a 5 s detection window is plenty fast and costs ~one stat per tick under steady-state.
• This is the second of two PRs against Feedback: manual acceptance testing for #454 (Local Daemon Architecture) #528 finding 3 (lock-related concurrency). Finding 3a (client-side retry on lock-acquire timeout) is in fix(spawn): retry readAlive on lock-acquire timeout #530.

🤖 Generated with Claude Code

[railway-app]

🚅 Deployed to the aileron-pr-531 environment in aileron

1 service not affected by this PR

• docs

[codecov]

Codecov Report

❌ Patch coverage is 86.36364% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.42%. Comparing base (970400c) to head (d62f0d0).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #531      +/-   ##
==========================================
- Coverage   82.34%   81.42%   -0.93%     
==========================================
  Files         221      221              
  Lines       21908    21959      +51     
==========================================
- Hits        18041    17880     -161     
- Misses       2758     2986     +228     
+ Partials     1109     1093      -16     

Flag	Coverage Δ
integration	9.56% <45.45%> (-8.00%)	⬇️
unit	77.84% <86.36%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.