fix(spec-044): autostart nil result not cached (gemini P1)

Gemini cross-review found a tray-core boot race: if the core process
starts milliseconds before the tray writes tray-autostart.json, the
first Read() sees fs.ErrNotExist and (before this fix) marked
cachedOnce=true, locking autostart_enabled to null for the whole 1h
TTL window — even after the tray subsequently wrote `true`.

Fix: on ErrNotExist and other transient I/O errors, do NOT mark
cachedOnce. Return nil this call but allow the next Read() to re-probe.
Successful reads (including malformed-JSON "known unknowable") still
cache for the full TTL.

Adds TestReadAutostart_BootRaceDoesNotPoisonCache covering the race
scenario: first read on absent file -> nil; tray writes sidecar;
second read within TTL -> picks up the new value.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: claude

internal/telemetry/autostart.go

@@ -102,15 +102,18 @@ func (r *AutostartReader) Read() *bool {
 
 	data, err := os.ReadFile(r.Path)
 	if err != nil {
-		// File absent → tray not running (or never launched). Cache nil.
+		// File absent → tray not running (or hasn't written the sidecar yet).
+		// Tray-core boot race: if core starts slightly before the tray, the
+		// first Read() sees ErrNotExist and would poison the 1h TTL with nil,
+		// causing AutostartEnabled to stay null for the whole first hour even
+		// after the tray publishes `true`. Do NOT mark cachedOnce so the next
+		// Read() re-probes. Gemini P1 cross-review.
 		if errors.Is(err, fs.ErrNotExist) {
 			r.cached = nil
-			r.cachedAt = now
-			r.cachedOnce = true
 			return nil
 		}
-		// Other errors (permissions, etc.): cache nil but don't poison the
-		// long TTL — use a short retry by not marking cachedOnce.
+		// Other errors (permissions, etc.): same short-retry behaviour — do
+		// not mark cachedOnce so the next heartbeat tries again.
 		r.cached = nil
 		return nil
 	}

internal/telemetry/autostart_test.go

@@ -114,6 +114,36 @@ func TestReadAutostart_CachedOneHour(t *testing.T) {
 	}
 }
 
+// TestReadAutostart_BootRaceDoesNotPoisonCache: gemini P1 — if the core's
+// first Read() happens BEFORE the tray writes the sidecar, a missing file
+// must NOT poison the 1h TTL. The next Read() should re-probe and see the
+// value the tray has since written.
+func TestReadAutostart_BootRaceDoesNotPoisonCache(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "tray-autostart.json")
+	// File deliberately absent at first read — simulates core-starts-before-tray.
+
+	r := &AutostartReader{Path: path}
+	if got := r.Read(); got != nil {
+		t.Fatalf("first Read() = %v, want nil (file absent)", *got)
+	}
+
+	// Tray now writes the sidecar (the race has closed).
+	if err := os.WriteFile(path, []byte(`{"enabled": true}`), 0o644); err != nil {
+		t.Fatal(err)
+	}
+
+	// Second Read() within the 1h TTL must re-probe and see the new value.
+	// Before the fix, this returned nil (poisoned cache) for up to an hour.
+	got := r.Read()
+	if got == nil {
+		t.Fatalf("second Read() = nil, want *true (tray wrote sidecar after first read)")
+	}
+	if *got != true {
+		t.Fatalf("second Read() = %v, want true", *got)
+	}
+}
+
 // TestDefaultAutostartReader_PathResolution: the default constructor returns
 // a reader that does not panic on a missing sidecar.
 func TestDefaultAutostartReader_PathResolution(t *testing.T) {