fix(pow): bound the post-timeout PoW probe to avoid doubling latency

fetch_required_pow uses FETCH_EVENTS_TIMEOUT (15s) internally, so a
slow/unreachable relay would let wait_for_dm wait 15s for the reply
plus another 15s for the probe before producing an error. Wrap the
probe in a short tokio::time::timeout (3s) and fall through to
WaitForDmTimeout if it doesn't return in time — Ok(Some(required))
is the only case that escalates to PowRequirementUnmet.

Addresses review feedback on #173.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: grunch

docs/pow_error_handling.md

@@ -130,8 +130,12 @@ let event = match waited {
     Err(_elapsed) => {
         // Before declaring this a generic timeout, check whether the daemon
         // advertises a PoW requirement we didn't meet — that's the real
-        // cause "deadline has elapsed" was hiding.
-        if let Some(required) = fetch_required_pow(ctx).await {
+        // cause "deadline has elapsed" was hiding. Bounded by
+        // POW_PROBE_TIMEOUT so a slow/unreachable relay can't double the
+        // user-visible wait; if the probe doesn't return in time we fall
+        // through to the generic timeout error instead of hanging.
+        let probe = tokio::time::timeout(POW_PROBE_TIMEOUT, fetch_required_pow(ctx)).await;
+        if let Ok(Some(required)) = probe {
             let configured = parse_pow_env().unwrap_or(0);
             if required > configured {
                 return Err(PowRequirementUnmet { required, configured }.into());
@@ -142,6 +146,10 @@ let event = match waited {
 };
 ```
 
+`POW_PROBE_TIMEOUT` is a small constant (currently 3 s) — well below
+`FETCH_EVENTS_TIMEOUT` (15 s). Worst-case user-visible wait stays at one
+`FETCH_EVENTS_TIMEOUT` plus the probe budget instead of doubling.
+
 Add an `&Context` parameter? Look at the signature today —
 `wait_for_dm(ctx, order_trade_keys, sent_message)` — `ctx` is already
 passed. We just need to grant the helper access to `ctx.client` and

src/util/messaging.rs

@@ -256,6 +256,12 @@ pub async fn send_plain_text_dm(
     .await
 }
 
+/// Upper bound on the post-timeout PoW probe inside [`wait_for_dm`]. Kept
+/// well below `FETCH_EVENTS_TIMEOUT` so a slow/unreachable relay can't
+/// double the user-visible wait — if the kind-38385 info event isn't back
+/// within this budget we fall through to [`WaitForDmTimeout`] instead.
+const POW_PROBE_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(3);
+
 /// Distinguishable error returned by [`wait_for_dm`] when no reply arrives
 /// within [`FETCH_EVENTS_TIMEOUT`].
 ///
@@ -347,7 +353,15 @@ where
             // no reply ever comes). Before declaring this a generic timeout,
             // ask the daemon's kind-38385 info event whether that's actually
             // the cause we're hiding behind "no reply".
-            if let Some(required) = super::events::fetch_required_pow(ctx).await {
+            //
+            // The probe is bounded by `POW_PROBE_TIMEOUT` instead of the full
+            // `FETCH_EVENTS_TIMEOUT` so a slow/unreachable relay can't double
+            // the user-visible wait. If the probe doesn't return in time, fall
+            // through to the generic timeout error rather than hanging.
+            let probe =
+                tokio::time::timeout(POW_PROBE_TIMEOUT, super::events::fetch_required_pow(ctx))
+                    .await;
+            if let Ok(Some(required)) = probe {
                 let configured = parse_pow_env().unwrap_or(0);
                 if required > configured {
                     return Err(PowRequirementUnmet {