docs(rust-port): record the pm-grid hardening pass (tx_q cap, fonts split)

docs/rust-port.md

@@ -245,7 +245,15 @@ file: brightness, MIDI channel, clock on/off) is safe (device read-only) and is
 **Still deferred**: practice log via **LOGSYNC** + **SLSYNC** (`0x44`/`0x45`), `settings.json` read,
 show the set-list title, the **on-device 808/909 synth → USB Audio input** (the standalone-audio
 alternative, big), firmware push (intended: UF2 now), optional piezo. A/B bootloader **dropped**.
-Also pending: a **hardening pass** (stress the composite USB + flash-write timing; split `main.rs`).
+**Hardening pass — partly done**: panic-audit fixed a real brick risk — `sx_send` (live-sync
+broadcasts + 5 s heartbeat) had no `tx_q` cap, so an editor that drops off without a BYE while
+`sync_armed` (and nothing draining MIDI-IN) would grow the heap until OOM → panic → black; now capped
+at 256 (notes/clock were already capped). Added a defensive `retain(non-empty)` in `build_setlists`
+(no `% 0` in `load`/`next`). Other `unwrap`s are boot-time init; `lanes[0]`/`items[0]`/`step[0]` are
+safe (`parse` substitutes `beep:4`; built-ins lead). Started the `main.rs` split (extracted
+`fonts.rs`); further modularization (FAT/MSC `storage`, `views`) to continue incrementally. **Still
+needs the bench:** composite-USB stress (drive writes *while* live-syncing + clocking) and the
+flash-write-vs-metronome-timing interaction — only verifiable on hardware.
 
 ### Stage 4 — native A/B + secure boot
 Replace the `.mpy`-level A/B hack (`code.py` loads `app.mpy`, rolls back to `app.bak`) with the