docs: document possible nwservermgmt provider process

AI.md

@@ -696,10 +696,19 @@ Latest endpoint audit checkpoint from patch 0231:
   not grow a second management database or return fake success for detailed
   information that is not modeled.
 
-Latest redesign checkpoint from patch 0231:
+Latest redesign checkpoint from patch 0232:
 
-- `REDESIGN.md` now records that NetWare-4.x `0x2222/123` server information
-  and statistics belongs to `servermgmt`, alongside TimeSync and guarded RPC.
-  Keep it in-process unless a concrete backend requires otherwise.
+- `REDESIGN.md` now records `nwservermgmt` as a possible future process for the
+  `servermgmt` provider once multiple NetWare-4.x management families become
+  real: `123/xx` server information/statistics, `114/xx` TimeSync adapter,
+  selected `23/200+` console/server-management calls, and guarded `131/xx` RPC
+  server-control requests.
+- This does not make `nwserv` a data-plane router.  `nwserv` remains supervisor,
+  provider registry, and control plane.  If `nwservermgmt` exists later, `nwconn`
+  sends normalized handoff requests directly to it; `nwservermgmt` may query
+  `nwserv` only for control-plane state such as provider status/capabilities.
+- Small static/status calls may stay in-process until a dedicated process is
+  justified.  RPC/server-control calls must not fake success and require a real
+  privilege model before activation.
 
-Next patch number should be `0232`.
+Next patch number should be `0233`.

REDESIGN.md

@@ -918,21 +918,54 @@ negotiation, and connection-state cleanup are fundamentally tied to the session
 that received the packet.  Moving them into another process would make cleanup
 ordering and error handling harder.
 
-#### Simple server-management calls
+#### Server-management provider and possible `nwservermgmt` process
 
-Simple management and information calls should not become their own process.
-Examples include login-status queries, server description strings, server time,
-NetWare-4.x TimeSync compatibility stubs, console-privilege checks, and small
-broadcast/control helpers.  The NetWare-4.x `0x2222/123` server-information and
-statistics family also belongs here: it should adapt existing mars-nwe, host,
-transport, filesystem, and queue state into NetWare-compatible information
-replies rather than grow a second management database.  NetWare-4.x RPC
-server-control calls such as load/unload NLM, mount/dismount volume, SET command
-changes, and NCF execution also belong to this provider boundary, but they are
-not simple information calls and must remain disabled until there is a real
-privilege model and backend behavior.  These can be represented as a
-`servermgmt` provider for dispatch clarity, but they should stay in-process
-unless a specific call requires an existing backend service.
+Server-management and information calls should first become a clear logical
+provider, not an immediate payload route through `nwserv`.  The `servermgmt`
+provider covers login-status queries, server description strings, server time,
+NetWare-4.x TimeSync compatibility stubs, console-privilege checks, small
+broadcast/control helpers, the NetWare-4.x `0x2222/123` server-information and
+statistics family, and guarded NetWare-4.x RPC/server-control calls.
+
+Small calls may remain in-process while they only adapt local state.  For
+example, `0x2222/123` should adapt existing mars-nwe, host, transport,
+filesystem, and queue state into NetWare-compatible information replies rather
+than grow a second management database.  TimeSync should remain a host-time
+adapter.  Console/status queries should not require a new daemon merely to
+return static or already-known information.
+
+However, once multiple NetWare-4.x management families are implemented, a
+dedicated `nwservermgmt` process becomes a reasonable future process boundary.
+That process would own the server-management provider data plane for `123/xx`,
+`114/xx`, selected `23/200+` console/server-management calls, and guarded
+`131/xx` RPC/server-control requests.  It may query `nwserv` for supervised
+process status, provider capabilities, restart state, or registered endpoints,
+but it must not replace `nwserv` as supervisor.
+
+The intended split is:
+
+```text
+nwserv
+  control plane / supervisor / provider registry
+  starts, monitors, restarts, and publishes provider endpoints
+  does not broker decoded NCP management payloads
+
+nwservermgmt
+  optional future server-management provider process
+  handles server-info, TimeSync adapter, console/status, and guarded RPC surfaces
+  asks nwserv only for control-plane state when needed
+
+nwconn
+  sends normalized handoff requests directly to nwservermgmt if it exists
+  remains final owner of the client NCP reply envelope
+```
+
+NetWare-4.x RPC server-control calls such as load/unload NLM, mount/dismount
+volume, SET command changes, and NCF execution must remain disabled until there
+is a real privilege model and backend behavior.  A future `nwservermgmt` process
+may be the right owner for those checks, but it must still use normalized
+handoff replies and must not fake success for operations that change server
+state.
 
 ##### TimeSync should adapt host time discipline, not implement NTP
 
@@ -985,8 +1018,9 @@ Only some providers should ever become processes:
 ```text
 already process-like:  bindery / nwbind
 likely future process: queue / possible nwqueue, including queue printing/direct-spool bridge
+reasonable future process: servermgmt / possible nwservermgmt once 123/114/131/23-management are real
 maybe, high risk:     filesystem
-usually in-process:   semaphore, message, servermgmt, accounting, AFP helpers
+usually in-process:   semaphore, message, accounting, AFP helpers
 ```
 
 The practical design rule is: