fix(discovery): do not advance last_notified for an unmatched trusted writer (SPDP silent-isolation backport)

[amitsingh21]

Summary

Backports the upstream Fast-DDS v2.6.7 (ROS 2 Humble) guard into this Foxy 2.1.4 line: in StatelessReader::change_received, do not advance last_notified for a trusted (SPDP/SEDP framework) writer that is not currently matched.

One-line change in effect:

if (!thereIsUpperRecordOf(...)) {
    bool update_notified = true;
    if (m_trustedWriterEntityId == change->writerGUID.entityId)
        update_notified = (writer is in matched_writers_);
    if (received_change(...)) { ...; if (update_notified) update_last_notified(...); ... }
}

Root cause — production "silent isolation"

Observed on the fleet (SCL bot156 bot↔edge; bot23↔elevator response leg): after a WiFi blip > lease, a participant is silently isolated — beacons flow but it is never re-discovered, endpoints never re-pair, recoverable only by restarting the process. gdb confirmed the signature: StatelessReader::processDataMsg keeps firing while PDPListener::onNewCacheChangeAdded stays at 0 (SPDP dropped before the listener).

Mechanism:

• SPDP DATA(p) is best-effort and re-announced with a frozen sequence number (PDP history is KEEP_LAST(1) keyed by participant).
• 2.1.4 advances last_notified unconditionally. An SPDP/SEDP sample accepted during the unmatched window (right after a lease-driven remove_remote_participant) writes a history_record keyed by the raw writer GUID.
• That record is normally migrated to the persistence GUID by add_persistence_guid during assignRemoteEndpoints. But PDPListener::onNewCacheChangeAdded releases the reader mutex around createParticipantProxyData()/assignRemoteEndpoints(), and the migrate can be skipped (participant-proxy pool exhaustion → createParticipantProxyData returns nullptr; or a concurrent lease-timer removal). The raw-GUID record is then orphaned.
• Every later frozen-sequence re-announce now satisfies thereIsUpperRecordOf() and is dropped before PDPListener → no re-discovery → silent isolation.

Fix

Skip update_last_notified for an unmatched trusted writer. With no raw-GUID write there is nothing to strand, so every ordering between the receive thread and the lease-timer thread resolves cleanly, and re-announces from an unmatched participant are reprocessed until it re-discovers. Matched writers still dedup normally → no steady-state cost (important on the high-fan-in side, e.g. an elevator/edge tracking ~200 peers).

Validation (lab reproducer)

• Mechanism: under forced proxy-pool pressure, an over-limit participant strands on the unpatched lib — SPDP ACCEPT=1, DROP≈60 (gated forever). With the guard: ACCEPT on every announcement, DROP=0 (never gated, retries).
• Data recovery: when a proxy slot frees, the guarded (never-gated) participant re-discovers and data resumes; the unpatched (gated) participant stays dead.

Scope / risk

• Single file (StatelessReader.cpp), behavior change limited to trusted framework writers (SPDP/SEDP); user-data readers unaffected.
• Exact backport of code shipping since v2.6.7 across Humble/Iron/Jazzy/Rolling → low risk.
• Stacks on the SEDP NACK/GAP deadlock backport already on rapyuta/2.1.4-foxy-sedp-fix (different, writer-side flavor) — together they cover both observed post-blip failure modes.

Production validation to follow via canary (patched multiarch SECURITY=ON lib on a wedge-prone bot).