fix: coord review remediations (path traversal, JSON parse, race condition) (#81)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

packages/coord/src/tasks-file.ts

@@ -219,6 +219,7 @@ async function acquireLock(lockPath: string): Promise<void> {
         const stats = await fs.stat(lockPath);
         if (Date.now() - stats.mtimeMs > TASKS_LOCK_STALE_MS) {
           await fs.rm(lockPath, { force: true });
+          await delay(TASKS_LOCK_RETRY_MS);
           continue;
         }
       } catch (statError) {
@@ -240,6 +241,7 @@ async function releaseLock(lockPath: string): Promise<void> {
 
 async function writeAtomic(filePath: string, content: string): Promise<void> {
   const directory = path.dirname(filePath);
+  await fs.mkdir(directory, { recursive: true });
   const tempPath = path.join(
     directory,
     `.TASKS.md.tmp-${process.pid}-${Date.now()}-${Math.random().toString(16).slice(2)}`,