fix: production panic regressions (#943)

* Fix stale DAG causal iteration after node splits

* Fix richtext cursor updates at fragment tails

* Add list import regression for split tracking

* Recover document locks after panic poisoning

* Add unpoisoned lock helpers across core internals

* Fail fast on poisoned core locks

* Return errors for snapshot encoding edge cases

* Fix loom lock helper usage

* Fix three March-2026 import panics (kim, mads, pr929 fixtures)

Three production blobs in loro-debug reliably panic inside doc.import on
loro-crdt@1.10.6:

- DagCausalIter assertion at dag/iter.rs: when a peer has multiple node
  segments in the target span and the later segment's deps fall outside
  the span, both segments reach the initial stack with zero in-degree and
  LIFO pops the higher counter first. Fix: in DagCausalIter::new, after
  out_degrees and succ are built, synthesize per-peer ordering edges so
  the lower counter must drain before the higher one is released.

- OnceCell::set(..).unwrap() double-set at oplog/loro_dag.rs:917 during
  ensure_vv_for on a diamond dep (#929): a shared ancestor
  gets pushed onto the iterative-DFS stack by multiple paths and the
  second pop tries to initialize an already-filled cell. Fix: skip nodes
  whose vv is already Some at the top of the loop and swallow the Err
  from the final set as a defensive measure.

- list_state Index-out-of-range panic for the mads-bootstrap fixture:
  the ListDiffCalculator cold-starts its RichtextTracker via
  new_with_unknown() and never learns about the snapshot's real list
  content. During replay the tracker's per-change checkouts temporarily
  retreat some snapshot ops, so a new op's fugue anchor lands inside the
  unknown prefix. CrdtRope::get_diff() then emits Retain(N) where N is
  larger than ListState.len(). Fix: change ContainerState::apply_diff
  (and DocState::apply_diff, init_with_states_and_version) to return
  LoroResult<()>; ListState::apply_diff pre-validates the delta against
  current length and returns LoroError::internal(..) on mismatch so
  doc.import surfaces the error instead of panicking. Root cause in the
  tracker cold-start path still needs follow-up.

Regression tests for all three live in crates/loro/tests/march_2026_panics.rs
with the captured production blobs in fixtures_march_2026/. Additional
targeted unit tests in dag/iter.rs and oplog/loro_dag.rs cover the
smallest synthetic DAG shapes that triggered each bug.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Make internal locks fail fast

* chore: rm fixtures

* chore: changeset

* Fix awareness doctest lock usage

* Fix loom RwLock wrapper

* Update repository agent guidelines

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: zxch3n

.changeset/honest-cycles-mix.md

@@ -0,0 +1,6 @@
+---
+"loro-crdt-map": patch
+"loro-crdt": patch
+---
+
+Fix production panic regressions

AGENTS.md

@@ -1,38 +1,79 @@
-# Agent Notes (Loro)
+# Repository Guidelines
 
-## Invariant: Flush Pending Events In `loro-wasm`
+## Project Structure & Module Organization
 
-In `crates/loro-wasm/src/lib.rs`, subscription callbacks (`subscribe*`, container `subscribe`, etc.)
-do not call user JS immediately. Instead, the binding enqueues JS calls into a global pending queue,
-and schedules a microtask check. If the microtask runs before `callPendingEvents()` flushes the
-queue, it will log:
+This is a Rust workspace with JS/WASM packaging around the core CRDT library.
+Key crates live under `crates/`: `loro` is the public Rust API, `loro-internal`
+contains core CRDT logic, `loro-wasm` exposes the WASM/TypeScript package, and
+`delta`, `rle`, `kv-store`, and `fractional_index` hold shared primitives.
+Integration and regression tests are mostly in `crates/loro/tests` and
+`crates/loro-internal/tests`; WASM tests and package files are in
+`crates/loro-wasm`. Examples live in `examples/` and `crates/examples`.
 
-- `[LORO_INTERNAL_ERROR] Event not called`
+## Build, Test, and Development Commands
+
+- `cargo build`: build the Rust workspace.
+- `cargo check -p loro-internal`: quickly validate core internals.
+- `cargo test -p loro-internal --doc`: run Rust doctests for internal APIs.
+- `pnpm test`: run the main Rust test suite via nextest plus doctests.
+- `pnpm check`: run clippy with all features and deny warnings.
+- `pnpm release-wasm`: sync versions and build the release WASM package.
+- `pnpm test-loom`: run loom concurrency tests for `crates/loro/tests/multi_thread_test.rs`.
+
+## Coding Style & Naming Conventions
+
+Use standard Rust formatting with `rustfmt`; keep imports and chained calls formatted
+by the tool. Prefer explicit, small APIs and existing crate-local helpers over new
+abstractions. Rust items use `snake_case` for functions/modules and `CamelCase` for
+types. JS/TS bindings in `loro-wasm` should preserve the established exported API
+names used by tests and docs.
+
+## Testing Guidelines
 
-This creates a strict invariant:
+Add regression tests near the behavior being fixed: Rust API tests in
+`crates/loro/tests`, internal tests in `crates/loro-internal/tests` or module tests,
+and WASM behavior in `crates/loro-wasm/tests`. For import/encoding bugs, prefer
+fixture-based tests with small binary fixtures. Run the narrow package test first,
+then `pnpm test` when the change affects shared behavior. For changes touching
+internal diff calculation, checkout, import, or state-replay logic, also consider
+the fuzz targets in `crates/fuzz`; ask whether to run the broader `fuzz all`
+target before spending the extra time.
 
-- **Any WASM-exposed API that can enqueue subscription events must flush pending events before
-  returning control back to JS.**
+## Commit & Pull Request Guidelines
 
-To avoid adding overhead to every single op, we only wrap (decorate) a small allowlist of
-methods on the JS side. The wrapper calls `callPendingEvents()` in a `finally` block.
+History uses short imperative commits, often prefixed by scope such as `fix:`,
+`test:`, `chore:`, or `refactor:`. Keep commits focused and include fixtures or
+tests with fixes. PRs should describe what changed, why, validation commands, and
+linked issues or production traces when relevant. Add a changeset when publishing
+behavior or package output changes.
 
-### How To Maintain
+## Agent-Specific Notes
+
+### Invariant: Flush Pending Events In `loro-wasm`
+
+In `crates/loro-wasm/src/lib.rs`, subscription callbacks (`subscribe*`,
+container `subscribe`, etc.) do not call user JS immediately. The binding
+enqueues JS calls into a global pending queue and schedules a microtask check.
+If the microtask runs before `callPendingEvents()` flushes the queue, it logs:
+
+- `[LORO_INTERNAL_ERROR] Event not called`
 
-- When adding or changing a `#[wasm_bindgen]` API in `crates/loro-wasm/src/lib.rs` that can
-  *mutate document state*:
-  - If it can trigger an implicit commit / barrier (`commit`, `with_barrier` /
-    `implicit_commit_then_stop`), emit events (`emit_events`), or applies diffs (e.g. `revertTo`,
-    `applyDiff`), it typically **must** flush pending events.
-  - Add its JS name to the allowlist in `crates/loro-wasm/index.ts` near the bottom:
-    `decorateMethods(LoroDoc.prototype, [...])` (or the relevant prototype allowlist).
-  - If it is a pure read/query API (no state mutation, no commit/barrier, no event emission),
-    do **not** decorate it, to avoid unnecessary per-call cost.
+Any WASM-exposed API that can enqueue subscription events must flush pending
+events before returning control to JS. To avoid adding overhead to every op, only
+a small JS-side allowlist is wrapped; the wrapper calls `callPendingEvents()` in
+a `finally` block.
 
-### Quick Check
+When adding or changing a `#[wasm_bindgen]` API in `crates/loro-wasm/src/lib.rs`
+that can mutate document state, check whether it can trigger an implicit commit
+or barrier (`commit`, `with_barrier`, `implicit_commit_then_stop`), emit events
+(`emit_events`), or apply diffs (`revertTo`, `applyDiff`). If so, add its JS
+name to the allowlist near the bottom of `crates/loro-wasm/index.ts`:
+`decorateMethods(LoroDoc.prototype, [...])` or the relevant prototype allowlist.
+Pure read/query APIs should not be decorated.
 
-With active subscriptions (`doc.subscribe(...)` / container `subscribe(...)`), calling mutating APIs
-should not produce the error above. A recommended local check is:
+Quick check with active subscriptions (`doc.subscribe(...)` or container
+`subscribe(...)`): mutating APIs should not produce the error above. A useful
+local check is:
 
 ```sh
 pnpm -C crates/loro-wasm build-release