resolver: surface timeout-recheck stats and keep timeout-only domains suspect

PLAN_DHSQ_GLOBAL.md

@@ -6,7 +6,7 @@
 - [x] ~~3. Add stale-keep policy.~~
 - [x] ~~4. Wire 24h precheck cycle (soft pruning only).~~
 - [x] ~~5. Expose metrics/log clarity in API + GUI (API/trace done; DNS benchmark load-profile UI done; route badges done).~~
-- [ ] 6. Tune thresholds with production data.
+- [ ] 6. Tune thresholds with production data (pass-1 done: timeout-only now stays suspect/no quarantine by default).
 
 ## 1) Goal
 - Stabilize resolver behavior under high domain volume.

selective-vpn-api/app/resolver.go

@@ -1813,8 +1813,18 @@ func (s *domainCacheState) setErrorWithStats(domain string, source domainCacheSo
 	if entry == nil {
 		entry = &domainCacheEntry{}
 	}
+	prevKind, _ := normalizeCacheErrorKind(entry.LastErrorKind)
 	entry.Score = clampDomainScore(entry.Score + penalty)
 	entry.State = domainStateFromScore(entry.Score)
+
+	// Timeout-only failures are treated as transient transport noise by default.
+	// Keep them in suspect bucket (no quarantine) unless we have NX signal.
+	if normKind == dnsErrorTimeout && prevKind != dnsErrorNXDomain {
+		if entry.Score < -10 {
+			entry.Score = -10
+		}
+		entry.State = domainStateSuspect
+	}
 	entry.LastErrorKind = string(normKind)
 	entry.LastErrorAt = now
 	switch entry.State {