fix(win10): skip POSIX heartbeat watchdog on Windows + sync logging foundation

[BitHighlander]

Summary

Fixes the dominant 1.2.14 Win10 first-launch crash and lands the observability foundation that made it possible to find.

Change	Why
startHeartbeatWatchdog() returns early on process.platform === 'win32'	The watchdog spawns bash -c '<POSIX shell script>' which fails with UV_ENOENT (-4058) on Win10 Explorer launches (empty PATH), causing an uncaught async exception in the worker that kills the entire app right around device pair time.
Sync logger (fs.appendFileSync per call)	The previous createWriteStream buffered writes — every crashed launch lost the actual exception line, which is why this bug went undiagnosed for two days.
Boot environment dump	Captures platform, pid, ppid, cwd, argv, stdio TTY status, PATH.length, Windows env vars. The PATH.length=0 field is what surfaced this bug.
JS↔native boundary logging in engine-controller.ts	Every USB / libusb call now logs entry/exit with try/catch, so future native crashes leave clear breadcrumbs.

Verified fixed in-place by patching the installed bundle and re-launching from the desktop icon. Same install crashed without the fix; with the fix, the boot reaches [PERF] +3876ms: boot complete and the device pairs cleanly.

The bug

`projects/keepkey-vault/src/bun/index.ts:4246` unconditionally spawns bash -c '<heartbeat watchdog script>' at module load. The watchdog is POSIX-only (uses bash, kill -9, date +%s, sleep, cat, [ -f ]) and could never have functioned on Windows even if bash were on PATH. It exists to defend against an FFI freeze in kkemu confirm_helper that only happens on macOS/Linux builds.

When the app is launched from Explorer / Start Menu / installer-Run-now on Win10, the bun worker inherits an empty PATH from the parent process. Bun.spawn delegates to libuv, which fails with UV_ENOENT when it can't locate bash, and the failure is delivered as an uncaught async exception in the worker thread several seconds after the spawn call site. The exception kills the entire app right around [Engine] State → needs_pin, and the user sees a splash that hangs and then disappears.

Reproduced twice across two distinct rebuilt 1.2.14 binaries:

• `KeepKey-Vault-1.2.14-win-x64-setup.exe` SHA256 `4f8ec1ba…` (2026-04-08 first publish)
• `KeepKey-Vault-1.2.14-win-x64-setup.exe` SHA256 `2111ad61…` (2026-04-09 rebuild with port-collision fix)

Why it took two days

The previous file logger used `fs.createWriteStream(LOG_FILE, {flags:'a'})` whose buffered `.write()` calls were never flushed when the worker thread crashed. Every failed launch left a `vault-backend.log` that appeared to end at `[Engine] Merged manifest` — actually 2-7 seconds before the actual death point. We chased three wrong root causes (libusb segfault on detach, semver throw in initialize, port-1646 collision) every one of which was downstream of a buffered log losing the actual exception line.

The first commit on this branch swaps the buffered stream for `fs.appendFileSync`. The very next failed launch produced this final line in `vault-backend.log`, which is the smoking gun:

```
[2026-04-09T22:01:38.479Z] ERR: Uncaught exception in worker: {
"code": "ENOENT",
"path": "bash",
"errno": -4058
}
```

Combined with `[Boot] env: PATH.length=0 LANG=` from the new boot env dump, the diagnosis was a 30-second `grep` for `'bash'` in `src/bun/`.

Verification

Before the fix (orig 1.2.14, Explorer launch with device plugged in)

```
[2026-04-09T22:01:38.472Z] [Engine] State → needs_pin
[2026-04-09T22:01:38.472Z] [Engine] Resolved BL hash fe98454e… → v2.1.4
[2026-04-09T22:01:38.479Z] ERR: Uncaught exception in worker: { code: 'ENOENT', path: 'bash', errno: -4058 }
[silence — process gone]
```

After the fix (same install, Explorer launch, same device)

```
[Boot] env: PATH.length=0 LANG= ← Explorer launch, empty PATH
[Vault] Heartbeat watchdog skipped on Windows (POSIX-only) ← the fix fired
[Engine] Merged manifest: latest=v7.10.0 beta=v7.14.0
[Engine] Firmware manifest (latest): fw=7.10.0 bl=2.1.4
[Engine] Scanning for WebUSB device...
[Engine] WebUSB device found, attempting pairRawDevice...
[Engine] Paired via WebUSB
[Engine] Initializing device...
[Engine] Features: { ... firmwareVersion: 7.14.0, ... }
[Engine] State → needs_pin
[PERF] +3876ms: boot complete ← clean boot
[Engine] PIN_REQUEST → type=current
[Engine] State → ready ← device paired and unlocked
```

What this PR does NOT fix

The three Win10 findings from `docs/HANDOFF-1.2.14-WINDOWS-PAIR.md` remain:

1. Finding 1 (`Invalid Version: vundefined.undefined.undefined` in `KeepKeyHDWallet.initialize()`) — addressed by `keepkey/hdwallet#37` which still needs review/merge, followed by a submodule pointer bump here in a separate PR.
2. Finding 2 (native crash on USB unplug during `pairRawDevice`) — separate bug. With the sync logger landing in this PR, the next reproduction should leave the actual death cause in the log.
3. Finding 3 (port-1646 collision splash hang) — already fixed in the official 1.2.14 rebuild from 2026-04-09; verified working.

Files

• `projects/keepkey-vault/src/bun/index.ts` — sync logger (~50 lines), boot env dump (~22 lines), watchdog Windows skip + try/catch (~10 lines), long comment block on the watchdog explaining the platform constraint.
• `projects/keepkey-vault/src/bun/engine-controller.ts` — JS↔native boundary logs in `start()`, `fetchFirmwareManifest()`, and `applyChannel()`. Each native call wrapped in try/catch with explicit `[Engine] FATAL:` logging.
• `docs/HANDOFF-1.2.14-WIN10-WATCHDOG-CRASH.md` — full diagnosis story, verification recipe, and reasoning for keeping the observability changes regardless of the watchdog fix.

Test plan

• Manual: install 1.2.14, launch from desktop icon (broken context), verify crash with old code
• Manual: apply this PR's patches in-place to the installed bundle, re-launch from desktop icon, verify boot reaches `boot complete` and device pairs
• Manual: launch from terminal, verify logger captures full session (still works)
• Manual: backend log first lines contain `[Boot] platform=win32 …` env dump
• CI: existing test suite (no test changes in this PR)
• Reviewer: skim the watchdog comment block — push back if any of the platform-constraint claims are wrong (kill -9 on Windows, date +%s availability, etc)