Two latent issues uncovered while designing network-drift detection:
- adoptDockerSubnet's comment claimed apps' IPs stay inside docker's
subnet after adoption. False: IPs are pinned to the old subnet's first
three octets, so adopting a different /24 base strands every app IP
out-of-subnet. Document the real behaviour + the heal paths.
- ipAllocation fell through from the existing-row branch to the
unconditional INSERT, which would violate UNIQUE(app,type,service).
Unreachable on today's reset path (rows are deleted first) but a hazard
for any direct caller; add an explicit return after reuse/reset.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>