Invariant hardening (deferred): durable broker state + CAS transitions

[mark-e-deyoung]

Summary

Advanced invariant hardening for control/session state beyond current lock-based guarantees.

Deferred Scope (grouped)

1. Persist broker control snapshot (control_state.json) on major transitions and reload at startup.
2. Add generation-based CAS semantics for session/control state writes to prevent stale-writer updates.

Why deferred

• Requires migration/versioning decisions for persisted broker state.
• Requires careful API compatibility and broader refactor of state update paths.

Acceptance Criteria

• Restart-safe broker state restoration is deterministic and tested.
• CAS write conflicts are detected and surfaced with explicit errors.
• Transition tests cover stale update rejection and retry paths.

[mark-e-deyoung]

Release triage classification (2026-02-25): Defer (high-value hardening, not immediate blocker by default).

Reason:

• Durable broker state + CAS transitions improve robustness, but current release can proceed unless a dependent project requires stronger multi-controller durability guarantees.

Recommendation:

• Keep open and schedule as next hardening wave.