Archive recovery worker uses raw part-file owner across async work

Summary

The archive recovery path captures a raw CPartFile* in a worker-thread parameter block, uses it during recovery, logs through it after work completes, and mutates m_bRecoveringArchive from the worker. The same worker can also wait indefinitely on an external preview process.

This would block Beta 0.7.3 if archive recovery were an active feature. The product decision on 2026-05-08 is that archive recovery is deprecated, entirely frozen, and its known bugs are Wont-Fix unless the feature is explicitly unfrozen by a later product decision.

Evidence

• srchybrid/ArchiveRecovery.cpp:69 allocates the recovery thread parameter.
• srchybrid/ArchiveRecovery.cpp:86 stores the raw CPartFile* in the worker parameter.
• srchybrid/ArchiveRecovery.cpp:96 passes that pointer into recovery work.
• srchybrid/ArchiveRecovery.cpp:103 mutates m_bRecoveringArchive from the worker path.
• srchybrid/ArchiveRecovery.cpp:195 waits indefinitely on an external process handle in the preview path.

Frozen Disposition

No implementation is planned while archive recovery is deprecated and frozen. Do not spend Beta 0.7.3 hardening effort on this path unless the feature is explicitly unfrozen.

Historical acceptance criteria if reopened:

• Archive recovery workers no longer dereference CPartFile* after thread start except through an explicitly safe owner/lifetime contract.
• m_bRecoveringArchive is not mutated from an unsafe worker context.
• Download removal and application shutdown cannot produce worker UAF.
• External preview process handling cannot keep unsafe owner pointers alive indefinitely.
• Existing successful archive recovery behavior remains compatible.

Validation

• 2026-05-08: Source comment added near CArchiveRecovery::recover in app commit 8c2cc67 to document the deprecated/frozen Wont-Fix status.