fix(connect): close TOCTOU race in connect sync lock acquisition

[omergk28]

Summary

loadState in internal/cli/connection/core/sync guarded ctx connect sync with a stat-then-write pair — racy by construction. Two processes racing past the os.Stat could both acquire, both load the same LastSequence, and both write duplicate entries into .context/hub/.

This PR replaces the pair with the atomic create-or-fail primitive the codebase already ships for exactly this purpose: io.SafeTryLock (O_CREATE|O_EXCL, one syscall) + io.SafeUnlock, with prior art at internal/cli/dream/core/pass/pass.go:62-70. !acquired maps to the pre-existing os.ErrExist contract, so caller-facing behavior is unchanged.

Closes #93.

Changes

• internal/cli/connection/core/sync/state.go — atomic lock acquisition; release delegates to SafeUnlock (warn-on-failure logging kept)
• internal/config/hub/{hub.go,doc.go} — LockSentinel removed: the lock is the file's existence, not its content, and the racy write was the constant's only consumer
• internal/cli/connection/core/sync/state_test.go — new; the package previously had zero tests
• specs/fix-connect-sync-lock-toctou.md — spec per the project's spec-per-commit invariant

Tests (mapped to the issue's Tests Required)

Issue ask	Test
N goroutines, exactly one succeeds, N−1 get os.ErrExist	TestLoadState_RejectsConcurrentSyncs (16-way; winners held until all results are collected, so the count is deterministic)
Lock released after failure so the next attempt proceeds	TestLoadState_ReleaseRemovesLock + TestLoadState_ReleasesLockOnCorruptState (post-acquisition failure must not leak the lock)
Lock lives at <ctxDir>/hub/.sync.lock	TestLoadState_LockFileLocation

Verification

• Mutation check: the new contention test was run against the old stat-then-write code — it fails with winners = 16, want exactly 1, proving both that the race is real and that the test catches it. Against the fix: exactly 1 winner, 15 × os.ErrExist.
• go test -race -count=10 ./internal/cli/connection/core/sync/ — clean.
• Full CI suite green (fmt, vet, golangci-lint, style, drift, docs, full test suite, shellcheck).

Notes

• One deliberate correction vs. the issue text: ctx connect sync lock has a TOCTOU race; concurrent syncs can both pass the check #93 says duplicates land in .context/shared/ — that's the pre-rename path; the renderer joins cfgHub.DirHub (render.go:32), so the spec and this PR say .context/hub/.
• Out of scope, per the issue: stale-lock detection (crashed process leaves a stale lock until a follow-up adds PID/age cleanup) and the flock alternative (Unix-only; SafeTryLock matches the existing sentinel model).
• Scope: the bash-3.2 make audit fix that previously rode along in this PR has been split into fix(hack): guard empty-array expansion in lint-drift for bash 3.2 #117, per the contributing guide's one-concern-per-PR preference. This PR is now surgical on ctx connect sync lock has a TOCTOU race; concurrent syncs can both pass the check #93. (Running make audit locally on stock-macOS bash 3.2 needs fix(hack): guard empty-array expansion in lint-drift for bash 3.2 #117; CI and Linux are unaffected.)

🤖 Generated with Claude Code