Addresses the reviewer's blocker (comment 15915): release() unconditionally
unlinked restart.lock, so after a stale/max-wait break an OLD owner could
delete a NEWER owner's lock, letting a third restart interleave and defeating
the guard.
- Each acquire writes a unique owner token (randomUUID) into the lock file.
- release() only unlinks while that token is still on disk; once another caller
has broken and re-owned the lock, the timed-out original owner's release() is
a no-op and leaves the new owner's lock intact.
- Breaking a stale/timed-out lock now takes ownership atomically via
write-temp + rename (atomic replace) instead of a blind unlink-then-recreate;
a breaker that loses a concurrent takeover reads back a foreign token and
keeps waiting rather than assuming ownership.
Regression test (does not let a timed-out owner drop a lock another restart
broke and re-owned) reproduces the three-restart interleave: R1 hangs (stale),
R2 breaks + re-owns, R1.release() must NOT drop R2's lock. Fails on the old
blind-unlink path (ENOENT), passes now. Also adds explicit single-agent
restart-path guard coverage (review should-fix).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
43ad813e0d