Module MementoLoader 

MementoLoader - Persistence layer

Loads ApplicationState memento JSON from disk during boot. Two flavours: best-effort (returns empty on failure) and result-typed (surfaces failures explicitly during recovery).

Layout (one export per file, file name = identity):

• LoadInitialMementoFromDisk::Fn - best-effort loader for ApplicationState::default(). Backs up corrupted files, creates the parent directory on read errors.
• LoadMementoWithRecovery::Fn - result-typed loader used during recovery flows; surfaces FS / parse failures.
• AttemptMementoRecovery::Fn (internal) - write a .backup sibling for the corrupted content.
• CreateCorruptedBackup::Fn (internal) - write a timestamped .json.corrupted.<ts> sibling.

TODO: zero callers as of 2026-05-02 - pending wire-up from Environment::StorageProvider boot path.

Modules

AttemptMementoRecovery

Side-channel: write the corrupted memento payload to a .backup sibling so a human can inspect the original. Failure to write the backup is logged but doesn’t propagate - the load path stays best-effort.

CreateCorruptedBackup

Timestamped corruption backup: write the failed-to-parse content to a .json.corrupted.YYYYMMDD_HHMMSS sibling so several recovery attempts in a row don’t clobber each other. Pure side-effect; never fails the caller.

LoadInitialMementoFromDisk

Best-effort synchronous memento loader for ApplicationState’s default() path. Failures don’t propagate - corrupted files are backed up, missing directories are created, and an empty map is returned so initialisation always succeeds.

LoadMementoWithRecovery

Result-typed memento loader. Returns Ok(empty) for missing files, Err(FileSystemIO) for read failures, and Err(SerializationError) for parse failures (with a timestamped corruption backup written as a side effect). Used during recovery flows where the caller needs to know that loading actually failed.