fix: distinguish fast-crash from update exit to bound #4551 crash loops

[sanity]

Problem

#4570 moved StartLimitBurst/StartLimitIntervalSec into the [Unit] section so systemd now actually honours the crash-loop limiter (they were silently ignored in [Service]). With the limiter effective, gaps remained:

1. The unit's SuccessExitStatus=42 43 whitelists the node's fatal-listener exit code (42, from Gateway death-spirals at ~100% CPU in libunwind FDE-cache invalidation under contract-executor backpressure; network listener dies, node wedges unrecoverable (0.2.81) #4549). A node stuck in a boot-wedge loop exits 42 every ~10s and never counts toward StartLimitBurst — so the limiter wouldn't bound the one case it most needs to.
2. The limiter's terminal action was implicit (a tripped loop should stop the unit, not reboot the host).

Solution

Builds on #4570. Adds a crash-vs-update distinction so the now-effective limiter bounds real boot-wedge loops without losing the auto-update self-heal, on every supervision path.

systemd path

• StartLimitAction=none (default, made explicit) in both units: a tripped loop STOPS the unit rather than rebooting the host. Recover with systemctl reset-failed freenet && systemctl start freenet.
• FAST_CRASH_EXIT_CODE = 45 (kept OUT of SuccessExitStatus) + a min-uptime guard, fatal_listener_exit_code(uptime, fast_crash_enabled):
  • fatal listener exit < 60s uptime → exit 45 (counted, so a tight loop trips StartLimitBurst and the unit stops);
  • >= 60s → exit 42 (burst-exempt).
• ExecStopPost runs freenet update on exit 42 OR 45 (via a case, avoiding &&/|| precedence pitfalls). Counting (StartLimit) and self-heal (ExecStopPost) are independent, so a boot-crash that a newer release fixes still self-heals (Gateway death-spirals at ~100% CPU in libunwind FDE-cache invalidation under contract-executor backpressure; network listener dies, node wedges unrecoverable (0.2.81) #4549) even though exit 45 is rate-limited — freenet update is a separate process that can succeed even when freenet network boot-crashes.

cross-platform / cross-version safety

Exit 45 is meaningful only under a unit that handles it, so it is emitted only when the binary opts in (enable_fast_crash_exit_code(), mirroring the existing enable_abort_on_fatal_listener_exit()), and the entry point opts in only when the supervising unit advertises 45 support via a marker env var (FREENET_SYSTEMD_FAST_CRASH) that the regenerated systemd unit sets. This ties runtime behavior to the on-disk unit's actual capability:

• macOS/Windows in-process run-wrapper (knows only 42; self-heals on 42 and bounds the loop with its own backoff + 50-failure cap) → no marker → keeps emitting 42.
• Old/custom systemd unit — including a node auto-updated to this binary but whose unit file was never regenerated → no marker → keeps emitting 42 (its existing exit-42 self-heal works).
• Unsupervised → no marker → 42 (moot).

The marker is referenced through the SYSTEMD_FAST_CRASH_ENV_VAR const in both the unit template and the entry-point check (single source of truth, no literal drift).

Testing

• node::p2p_impl: fast-crash code distinct + counted; uptime split when enabled; always 42 when disabled (run-wrapper / old-unit / unsupervised); both the abort and fast-crash flags are opt-in / off-by-default.
• service.rs: StartLimitAction in [Unit]; exit-45 out of SuccessExitStatus; ExecStopPost fires update on 42|45; fast-crash marker present (asserted via the const).
• StartLimitBurst/IntervalSec [Unit]-placement is covered by fix: move StartLimitBurst/StartLimitIntervalSec into [Unit] section of generated systemd units #4570's linux.rs tests (not duplicated). Those #4570 helpers are also hardened to find section headers by line, not substring, so the legitimate [Service] reference now in a [Unit] comment isn't misparsed.
• cargo fmt; cargo clippy --locked -- -D warnings and --features trace-ot both clean. Both generated units pass systemd-analyze verify (exit 0; only the pre-existing ExecStartPre shell-escape notice).

Refs #4551 (the section-placement fix landed in #4570); this completes the crash-loop bounding. Builds on #4570.

Note

The systemd burst-behavior change (counting exit 45 toward StartLimitBurst, StartLimitAction=none, marker-gated opt-in) wants a smoke-test on a live systemd host before the next release, per .claude/rules/deployment.md (a cfg(target_os = "linux") service path CI does not exercise end-to-end).

[AI-assisted - Claude]

🤖 Generated with Claude Code

[github-actions]

Rule Review: No issues found

Rules checked: git-workflow.md, code-style.md, testing.md
Files reviewed: 7

Summary of changes reviewed:

• auto_update.rs — new SYSTEMD_FAST_CRASH_ENV_VAR constant
• service.rs — new test assertions and helper functions for section-placement verification
• service/linux.rs — systemd unit template changes + test helper hardening
• freenet.rs — opt-in call to enable_fast_crash_exit_code
• lib.rs / node.rs — re-exports
• node/p2p_impl.rs — core logic: FAST_CRASH_EXIT_CODE, MIN_HEALTHY_UPTIME_FOR_UPDATE_EXIT, fatal_listener_exit_code(), EMIT_FAST_CRASH_EXIT_CODE, tests

Checks performed:

• Commit message: fix: distinguish fast-crash from update exit to bound #4551 crash loops — 71 chars, valid fix: prefix. ✓
• Regression tests: fatal_listener_exit_code_distinguishes_fast_crash_from_healthy_uptime, fatal_listener_exit_code_uses_update_code_when_fast_crash_disabled, and fast_crash_exit_code_is_distinct_and_counted directly test the new pure function for the exact bug being fixed. ✓
• Boundary conditions: [0,1,10,30,59] (fast crash), exact threshold 60s, [60,120,3600,86400] (healthy uptime), and the fully-disabled path all covered. ✓
• No .unwrap() in production code — panic!() calls are confined to mod tests helpers. ✓
• start_time.elapsed() at call site — start_time is a pre-existing tokio::time::Instant (line 378, not introduced by this PR); this is Rule Lint territory, not new. ✓
• Platform guards: section_of_directive helper and its consumer tests are consistently #[cfg(target_os = "linux")]. ✓
• EMIT_FAST_CRASH_EXIT_CODE global atomic: set-once at startup, read in hot path — standard pattern; fatal_listener_exit_code takes it as a parameter for testability, bypassing global state in unit tests. ✓
• fatal_listener_exit_code extracted as pure function: matches the project pattern for testable decision logic (references deployment.md in its own docstring). ✓
• section helper in linux.rs: correctly hardened from find("\n[") substring search to line-by-line matching to avoid false matches on section names appearing in inline comments. ✓

No rule violations detected.

---

Rule review against .claude/rules/. WARNING findings block merge.

[sanity]

Reviewed and approving. Verified end to end: fast-crash exit-45 is emitted ONLY when the freshly-generated systemd unit sets the SYSTEMD_FAST_CRASH_ENV_VAR marker, so the macOS/Windows wrapper, unsupervised nodes, and a node that auto-updated the binary but not yet its old systemd unit all keep emitting exit-42 (existing self-heal + loop-bounding intact) — no regression on any path. The new unit fires freenet update on exit 42 OR 45 (boot-crash self-heal) while keeping 45 out of SuccessExitStatus so StartLimit counts it and a tight loop is bounded. Comprehensive tests (marker gating, ExecStopPost 42|45, exit-code selector, systemd-analyze), CI green. Completes #4551 with #4570. Merging.

[AI-assisted - Claude]