audit F22 [quality]: search index `remove_*` mutations silently dropped on mailbox full

[intendednull]

File: crates/client/src/search/handle.rs:96 (also lines 102, 108, 118, 128, 133, 138)
Severity: quality
Obvious? no

The doc comment on insert (lines 61-68) carefully documents that dropped inserts are recovered by the rebuild Effect on messages_sig change — a real backpressure design. But that recovery path does NOT cover remove_message, remove_channel, remove_grove, set_config, push_recent, forget_recent, or clear_all_recents. If any of those do_send(...).ok() calls drops on a full mailbox, deleted messages remain searchable until a full rebuild, and clear_all_recents/forget_recent may silently leave entries in the persisted recents (a privacy concern). The code claims one well-reasoned policy in the docs but applies a broader silent-drop to operations the docs don't cover.

Fix: either (a) document the same recovery story for removes (e.g. removes are eventually-consistent because the index is also rebuilt on a periodic Effect, if true), or (b) at minimum log the drop with tracing::warn!.

---

Filed by /general-audit @ 88498a5 (2026-05-04). master: #600.