… set

The stdio client's logic — framing, parse errors, the shutdown
escalation decisions — is now tested in process against a fake process
injected through the spawn seam, and only the properties that are OS
behaviour keep real subprocesses. The in-process tests include
regressions for the shutdown bugs fixed in the previous commit:
cancellation must still run the full shutdown, tree kill must reach
children after the leader has exited, writes racing server death must
surface clean closure, exiting with a server message still undelivered
must be a clean exit, and a server exiting on stdin close must never
be terminated. Each was verified to fail against the previous
implementation.

The real-process set shrinks to: one consolidated tree-kill test driven
through the public stdio_client (a parent that exits instantly on
SIGTERM, a child, and a grandchild — pinning group inheritance, atomic
group kill, and dead-leader robustness in one spawn), the
SIGTERM-ignoring SIGKILL escalation test, a dead-group no-op test, and
exec-failure ENOENT. Grace and kill timeouts are shortened via
monkeypatch in the real tests: the escalation decision is pinned in
process against a shortened grace, the SIGTERM-then-SIGKILL escalation
itself is exercised only by the real escalation test, and the
production constants' values are deliberately unpinned. The stdio
surface drops from ~11s to ~3.5s.

Deleted as subsumed or broken:
- The two tee-based tests: the interaction suite's subprocess e2e pins
  the real-pipe round trip with a real server, and tee could never
  deterministically exercise the chunk-reassembly buffer that the new
  in-process framing test pins (real pipes deliver short messages as
  whole lines).
- test_stdio_client_bad_path: its script only "failed" because
  non-existent-file.py happens to be a Python expression that raises
  NameError; the property (stdout EOF fails initialize with
  CONNECTION_CLOSED) is now pinned in process.
- The basic/early-parent cleanup tests and universal-cleanup /
  graceful-stdin-exit tests, folded into the consolidated tree test and
  the in-process graceful/escalation tests.
- tests/issues/test_1027_win_unreachable_cleanup.py: its lifespan
  cleanup chain is covered by the interaction e2e's clean-exit marker
  plus the lifespan tests, it polled marker files with fixed sleeps,
  and it leaked its child process when an assertion failed mid-test.
  Its only helper module (tests/shared/test_win32_utils.py) goes with
  it. The MCPServer.run("stdio") coverage its subprocess scripts
  provided is replaced by an in-process test that drives run() over
  injected stdio and asserts a real response.

tests/issues/test_552_windows_hang.py now asserts initialize succeeded
instead of swallowing every exception (its handcrafted response also
sent the invalid protocolVersion "1.0", so it errored on every run and
passed anyway), the stdio server tests are bounded by fail_after, and
the elicitation tests that claimed "stdio" in their names run, and now
say they run, over the in-memory transport.

Source and docs (comment/docstring-level; one dead-code removal):
- Correct the shutdown shield comment: a native task.cancel() delivered
  while cleanup is in progress can abort it regardless of count; the
  consumed-at-the-yield arithmetic only covered cancellation that
  initiated teardown.
- Scope the pipe-gated process.wait() claims to asyncio on Python
  3.11+ (3.10 and trio resolve on process exit alone), in the
  _wait_for_process_exit docstring and the migration guide.
- Add sunset notes to the cpython#106749 tracer workarounds (3.11-only;
  revert when 3.11 support is dropped).
- Document stdio_client's raised exceptions (Raises: section).
- Document the Job Object pre-assignment window in create_windows_process
  and at the assignment call site; document the _process_jobs
  WeakKeyDictionary's two load-bearing invariants (PyHANDLE values,
  identity-hashed weakref keys); fix a wrong comment about the
  CloseHandle failure path in _maybe_assign_process_to_job.
- Drop FallbackProcess.stdin_raw/stdout_raw (write-only attributes).

Tests:
- Fix the inert leak canary in the OSError spawn-failure test: the
  pytest.raises ExceptionInfo pinned the leaked streams across
  gc.collect(); drop it before collecting (mutation-verified).
- Correct the EPERM escalation test's pre-fix description (the old code
  fell back to a leader-only kill, leaking other group members - it did
  not hang forever) and trim an unasserted claim from the
  write-after-death docstring.
- Add a CRLF-framed message to the chunk-reframing test, pinning the
  trailing-CR tolerance Windows servers rely on, on every platform.
- Pin the grace wait's returncode read (what reaps the leader's zombie
  on trio) with a read-counting stub, parametrized over asyncio and
  trio; deleting the read fails the test on both backends.
- Add the missing width-justification comment to one fail_after(10.0).

The job-handle-close reap test failed on all windows-latest legs with a
silent 15s accept timeout: the grandchild's connect-back never arrived,
and xdist swallows the server's stderr, so the logs could not say which
link of the spawn chain broke.

Reshape the server to the form the passing cancellation test already
proves on Windows CI: it connects back to the liveness listener itself
after spawning the child, then parks on stdin. The test now accepts two
connections, so a failure distinguishes "server never ran its connect
line" from "child never connected". Capture the server's stderr via
errlog into a temp file and attach it to every failure message, and
wrap the child spawn in a try/except that reports to stderr before
re-raising. The contract is unchanged: both sockets must close after a
graceful exit (server FIN, child killed by the job-handle close), with
returncode 0 and the escalation seam untouched.

The job-reap test still fails on windows-latest with an empty captured
stderr, which proves the server ran its whole script but cannot say
anything about the child. Close the remaining blind spots:

- Route the child's stderr into the server's (which errlog captures),
  so a child that dies at startup leaves its traceback in the failure
  message instead of vanishing into the hidden console.
- Print a child-started marker to stderr first, splitting "child never
  spawned" from "child started but could not connect".
- Report how many of the two liveness connections arrived and which leg
  is missing, instead of one undifferentiated timeout.
- Record when the stdio_client context was entered and include the
  spawn-to-entry split in the failure message, so a stalled spawn is
  distinguishable from a stalled child.

Verified on POSIX by running the same choreography with a deliberately
unreachable child port: the failure message names the missing leg and
quotes the child's ConnectionRefusedError traceback verbatim.

The instrumented CI runs showed the grandchild booted (its startup
marker reached stderr on some legs) and then died tracelessly before it
could connect — no traceback, no SDK escalation, no job-handle close.
The remaining kill mechanism in the chain is the venv launcher layer:
sys.executable in a uv-managed venv is a trampoline that runs the real
interpreter inside its own kill-on-close Job, and that private job
machinery proved fatal to grandchildren on the CI runners.

The server now spawns its child through sys._base_executable, removing
the foreign launcher layer from the grandchild chain. The contract
under test is unchanged: the child still inherits the SDK's Job Object
at CreateProcess and must die when the job handle closes at shutdown.

Also report the child's poll() status after stdin EOF ends the server
(child-rc on stderr, zero cost on the healthy path), so any remaining
failure message names the child's exit status - the discriminator
between "still alive but unreachable" and "killed, by this code".

The grandchild was freezing at interpreter startup for as long as the
server sat in its blocking stdin read: CPython queries fd 0 during
startup, the child's inherited stdin was the server's stdin pipe (a
synchronous file object), and Windows serializes that query behind the
server's pending ReadFile. The child only thawed when the client closed
stdin at shutdown - at which point the job-handle close correctly
reaped it before it could connect. Spawning the child with
stdin=DEVNULL removes the coupling, so it boots immediately and the
kill-on-job-close contract can be observed.

Also reverts the previous commit's base-interpreter bypass: the venv
launcher was not involved (the freeze reproduces identically with the
base interpreter). The same stdin coupling applies to any Windows stdio
server that spawns Python children without redirecting their stdin.

After shutdown closes the child's stdin, the child has to unwind its run
loop, write its clean-exit stderr line, and let coverage's atexit hook
persist the subprocess data file before the stdin-close grace expires.
On a slow Windows runner the production 2s grace was too tight: the
escalation killed the child mid-atexit - after the asserted stderr line,
so the test stayed green - and the silently missing data file failed the
100% coverage gate at 99.95%. Widen the grace to 10s for this one test;
the timeout is not under test here.

Restructure stdio_client to read top-down: spawn the server process before
creating the transport streams (a failed spawn now has nothing to clean up),
extract _parse_line, replace the reader's delivering flag with two sequential
phases (deliver, then drain), name the shutdown sequence as a shutdown()
helper with numbered steps, and rename _shutdown_process_tree to
_stop_server_process so it no longer reads as a synonym of
_terminate_process_tree. Add a ServerProcess alias for the process union.

Use the same cancellation idiom as the other client transports for the
bounded waits and task teardown (move_on_after, tg.cancel_scope.cancel())
instead of deadline-poll loops and dedicated per-task scopes; a
cancel_shielded_checkpoint after each site that can throw through the await
chain keeps coverage accurate on Python 3.11 (python/cpython#106749). Drop
four scheduling checkpoints in exception handlers that nothing depends on.

Compress comments to the load-bearing rationale, anchor the shutdown
sequence to the MCP lifecycle specification, and explain why
function-valued ("()"-prefixed) environment variables are skipped.

stdio_client now carries the same AsyncGenerator[TransportStreams, None]
annotation as streamable_http_client, so it formally satisfies the
Transport protocol instead of leaking anyio's concrete memory-stream
types. Also adds the missing -> None on FallbackProcess.__init__ and
retypes the test helper to the ReadStream protocol.

Adopt a uniform comment standard for the stdio transport and its tests:
PEP 257 one-line summaries, docstring bodies only for contracts or for
warning-of-consequences notes (why the obvious alternative is wrong),
inline comments at most two lines, no Args/Returns boilerplate on private
helpers, ASCII punctuation only. Facts guarding non-obvious OS behavior
(killpg/EPERM semantics, the pipe-gated process.wait(), the Windows
stdin-pipe interpreter freeze, CPython gh-106749) are kept in compressed
form; pure narration is deleted.

No code changes outside comments and docstrings.

Every docstring now opens with a single-line summary sentence followed by
a blank line and the body. Restores the useful content that an earlier
slimming pass cut from create_windows_process: the SelectorEventLoop /
NotImplementedError fallback explanation, the Job Object purpose, the
assignment-window caveat, and a Returns section explaining the
Process | FallbackProcess union.

Docstring-only change; no code or behavior changes.