ADR-0025 — Watcher-as-hint + authoritative rescan + content-hash truth

Context

To sync promptly, the client watches the filesystem. But every OS watcher is lossy: Linux inotify drops events on queue overflow (default 16,384) emitting IN_Q_OVERFLOW; macOS FSEvents coalesces and can demand MUSTSCANSUBDIRS; Windows ReadDirectoryChangesW returns 0 bytes (all events lost) on buffer overflow; none work on NFS/SMB; inotify cannot even tell you which process caused an event. A correctness model that trusts the watcher will silently miss changes — the canonical “it didn’t sync my file” bug.

Decision

Treat the watcher as a latency optimization only; make authoritative scanning + content hashing the source of truth:

Consequences

Positive

Negative / costs

Alternatives considered

Scaling

Stat fast-path makes rescans stat-bound; ignore-rules (.git, node_modules, build dirs) prevent event storms from blowing the inotify queue; deep scans run off-peak.