Formalize session ephemeral + resumeCursor durable context model

[rororowyourboat]

Context

From the system design audit, the Session-Thread coupling creates an implicit distributed state problem. Session state lives in-process while Thread state lives in the event store, but the boundary is not documented.

Design Decision (from spec)

INV-6: Session state is ephemeral; does not survive process restarts. On restart, all sessions initialize to idle.

The resumeCursor (provider thread ID) is stored in the event store, enabling a new session to pick up from the last completed turn. The session process is ephemeral; the turn/message context is durable.

Session State Machine (from spec)

IDLE -> STARTING -> RUNNING -> READY (turn complete)
                            -> INTERRUPTED (user interrupt)
                            -> ERROR (provider fault)
READY -> RUNNING (next turn)
ERROR -> IDLE (explicit stop + restart)
On process restart: ALL sessions -> IDLE

Proposed Changes

1. Document INV-6 in codexAppServerManager.ts and any Claude adapter code
2. Ensure server startup explicitly resets all session projections to "idle"
3. Add test: kill server mid-session -> restart -> verify sessions are idle, thread history intact, resumeCursor available for next session start
4. Document the session state machine in .plans/21-system-design-spec.md (done) and in code comments

Acceptance Criteria

• Session-to-idle reset on startup is explicit and tested
• resumeCursor preservation across restarts is tested
• Session state machine documented in code

References

• System Design Spec: .plans/21-system-design-spec.md Section 5 (Session State Machine)
• Audit finding: "Session-Thread coupling creates an implicit distributed state problem"

[rororowyourboat]

Implemented in commit 54763f0 — INV-6 documented in Codex adapter, Claude adapter, startup, AGENTS.md