fix: coord review remediations — path traversal, JSON parse, race condition

Addresses code review findings from P2-005:
- Validate projectPath against allowed workspace roots (path traversal)
- Guard JSON.parse with try/catch in loadMission, readActiveSession, readSessionLock
- Add delay after stale lock removal to reduce race window
- Add @Inject(CoordService) per project guideline (no emitDecoratorMetadata)
- Eliminate double loadMission in getTaskStatus via shared buildStatusSummary
- Fix fragile prompt-inclusion check to test original command for {prompt}
- Add mkdir to writeAtomic for consistency with other atomic helpers

Closes #80

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/coord/src/mission.ts

@@ -379,7 +379,14 @@ export async function loadMission(projectPath: string): Promise<Mission> {
     throw error;
   }
 
-  const mission = normalizeMission(JSON.parse(raw), resolvedProjectPath);
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error(`Invalid JSON in mission file: ${filePath}`);
+  }
+
+  const mission = normalizeMission(parsed, resolvedProjectPath);
   if (mission.status === 'inactive') {
     throw new Error('Mission exists but is inactive. Re-initialize with mosaic coord init.');
   }