fix: resolve code-review findings (locally verified)

Server-054/055/056, Contracts-020/021/022, Tests-036/038/039,
IntegrationTests-030/031/032 (+033 deferred to live rig),
Client.Dotnet-026/028/029 (+027 won't-fix), Client.Go-030..034,
Client.Python-032..036, Client.Rust-033..038.

Key fix: SessionEventDistributor orphaned a subscriber that registered after
the pump completed but before disposal (Server-056) -> register paths now
complete late registrants under _lifecycleLock; regression test added. The
racy dashboard-mirror gRPC test made deterministic (Tests-039).

Verified green locally: gateway Tests targeted classes (GatewaySession,
SessionEventDistributor, GatewayOptionsValidator, ProtobufContractRoundTrip,
GatewaySessionDashboardMirror) + dotnet/go/python/rust client suites.

code-reviews/Client.Rust/findings.md

@@ -7,7 +7,7 @@
 | Review date | 2026-06-16 |
 | Commit reviewed | `8df5ab3` |
 | Status | Re-reviewed |
-| Open findings | 6 |
+| Open findings | 0 |
 
 ## Checklist coverage
 
@@ -787,13 +787,13 @@ This is masked by the tests: `tls_with_require_certificate_validation_does_not_s
 | Severity | Medium |
 | Category | Correctness & logic bugs |
 | Location | `clients/rust/crates/mxgw-cli/src/main.rs:485` |
-| Status | Open |
+| Status | Resolved |
 
 **Description:** `ConnectionArgs::options()` computes plaintext as `!self.tls || self.plaintext`. With both `--tls` and `--plaintext` supplied, this is `true`, silently degrading to an unencrypted channel despite the explicit `--tls`. A security-sensitive footgun (e.g. a script auto-appending `--plaintext`).
 
 **Recommendation:** Add clap `conflicts_with = "tls"` on `--plaintext` (reject the combo), or prefer `--tls` and warn.
 
-**Resolution:** _(empty until closed)_
+**Resolution:** 2026-06-16 — Added `conflicts_with = "tls"` to the `--plaintext` arg so supplying both is rejected at parse time, removing the silent downgrade. Tests: `connection_rejects_tls_and_plaintext_together`, `connection_tls_flag_disables_plaintext`, `connection_defaults_to_plaintext`, `connection_plaintext_flag_selects_plaintext`.
 
 ### Client.Rust-034
 
@@ -802,13 +802,13 @@ This is masked by the tests: `tls_with_require_certificate_validation_does_not_s
 | Severity | Low |
 | Category | Correctness & logic bugs |
 | Location | `clients/rust/crates/mxgw-cli/src/main.rs:48-51,548` |
-| Status | Open |
+| Status | Resolved |
 
 **Description:** `Command::Version` carries a `jsonl: bool` field that is never read; the dispatch arm matches `{ json, .. }` and discards `jsonl`. `mxgw version --jsonl` silently behaves as plain text.
 
 **Recommendation:** Handle `jsonl` in the Version arm (treat like `--json`) or remove the unused field.
 
-**Resolution:** _(empty until closed)_
+**Resolution:** 2026-06-16 — Removed the unused `jsonl` field from `Command::Version` (version output is a single record, not a stream); the dispatch arm now matches `{ json }` exhaustively, so `mxgw version --jsonl` errors as an unknown flag instead of silently being ignored. No test (CLI surface change verified by build).
 
 ### Client.Rust-035
 
@@ -817,13 +817,13 @@ This is masked by the tests: `tls_with_require_certificate_validation_does_not_s
 | Severity | Low |
 | Category | Security |
 | Location | `clients/rust/crates/mxgw-cli/src/main.rs:489-495` |
-| Status | Open |
+| Status | Resolved |
 
 **Description:** `--api-key-env` (default `MXGATEWAY_API_KEY`) names an env var read into an `ApiKey` Bearer token, but its clap help has no description of the expected value format. A user pointing it at another credential's env var would silently forward that credential to the gateway as a Bearer token. Low risk (redacted Debug; bounded to user's own shell) but an implicit-trust gap.
 
 **Recommendation:** Add help text stating the variable must hold a value of the form `mxgw_<key-id>_<secret>`.
 
-**Resolution:** _(empty until closed)_
+**Resolution:** 2026-06-16 — Added clap doc-comment help to `--api-key-env` stating the variable's value must be a full gateway key of the form `mxgw_<key-id>_<secret>` and is forwarded verbatim as the Bearer token. Doc/help-only change, no test.
 
 ### Client.Rust-036
 
@@ -832,13 +832,13 @@ This is masked by the tests: `tls_with_require_certificate_validation_does_not_s
 | Severity | Low |
 | Category | Design-document adherence |
 | Location | `clients/rust/RustClientDesign.md:351` |
-| Status | Open |
+| Status | Resolved |
 
 **Description:** The new `galaxy browse` subcommand (with its filter/depth/json flags) is not listed in the "Test CLI" command table in RustClientDesign.md, which still reads `galaxy {test-connection,last-deploy-time,discover-hierarchy,watch}`.
 
 **Recommendation:** Add `mxgw galaxy browse [...flags]` and note `--depth 0` = requested level only, `--depth N` eagerly expands, and `--parent-gobject-id` makes `--depth` a no-op.
 
-**Resolution:** _(empty until closed)_
+**Resolution:** 2026-06-16 — Added the `mxgw galaxy browse` line (with all flags) to the CLI table and a paragraph documenting that `--depth 0` prints only the requested level, `--depth N` eagerly expands N further levels, and `--parent-gobject-id` makes `--depth` a no-op. Doc-only change, no test.
 
 ### Client.Rust-037
 
@@ -847,13 +847,13 @@ This is masked by the tests: `tls_with_require_certificate_validation_does_not_s
 | Severity | Low |
 | Category | Design-document adherence |
 | Location | `clients/rust/README.md:164-179` |
-| Status | Open |
+| Status | Resolved |
 
 **Description:** The README "Browsing lazily" example calls `galaxy.browse_children(...).await?.into_inner()`, but the public API is `GalaxyClient::browse_children_raw` (the bare `browse_children` is the generated proto-client method, not public; and `browse_children_raw` returns the reply struct directly, no `.into_inner()`). The example would not compile.
 
 **Recommendation:** Replace with `galaxy.browse_children_raw(BrowseChildrenRequest::default()).await?` (drop `.into_inner()`).
 
-**Resolution:** _(empty until closed)_
+**Resolution:** 2026-06-16 — Verified `browse_children_raw` is the public method (galaxy.rs:302) and returns `BrowseChildrenReply` directly. Updated the README prose and example to call `browse_children_raw(...).await?` without `.into_inner()`. Doc-only change, no test.
 
 ### Client.Rust-038
 
@@ -862,10 +862,10 @@ This is masked by the tests: `tls_with_require_certificate_validation_does_not_s
 | Severity | Low |
 | Category | Testing coverage |
 | Location | `clients/rust/crates/mxgw-cli/src/main.rs:2336-2564` |
-| Status | Open |
+| Status | Resolved |
 
 **Description:** Three CLI test gaps: (1) `ConnectionArgs::options()` `--tls`/`--plaintext` resolution (incl. the both-set path of Client.Rust-033) is untested; (2) `browse_children_one_level`'s repeated-page-token guard is untested; (3) `parse_rfc3339_timestamp` has no error-path tests (trailing chars, day=0, month 13, out-of-range day).
 
 **Recommendation:** Add unit tests for all three (none need a network connection).
 
-**Resolution:** _(empty until closed)_
+**Resolution:** 2026-06-16 — Added all three test groups. (1) `--tls`/`--plaintext` resolution: `connection_defaults_to_plaintext`, `connection_tls_flag_disables_plaintext`, `connection_plaintext_flag_selects_plaintext`, `connection_rejects_tls_and_plaintext_together`. (2) Extracted the page-token dedup guard into pure `register_page_token` and covered it with `register_page_token_accepts_distinct_tokens_and_rejects_repeats`. (3) RFC3339 error paths: `rfc3339_parser_rejects_trailing_characters`, `rfc3339_parser_rejects_day_zero`, `rfc3339_parser_rejects_month_thirteen`, `rfc3339_parser_rejects_day_out_of_range_for_month`.