fix(core): simplify directory lock fallback safety

[iam-brain]

Summary

• keep the proper-lockfile import-shape fix so the plugin can load when the package resolves as a CommonJS-style namespace
• simplify the directory fallback to retry-only locking with owner metadata used only for safe release
• replace the stale-window and heartbeat coverage with focused regressions around plugin loading and fallback lock safety

Root Cause

The plugin auth flow was not failing inside the auth menu first. It was failing earlier while loading the plugin because proper-lockfile did not expose an ESM default in this environment. The first lockfile patch fixed that loader mismatch, but the later fallback work introduced race-prone stale-reclaim behavior that was riskier than the original problem.

What Changed

lib/cache-lock.ts

• resolve proper-lockfile from both direct and namespace-shaped module exports
• keep a conservative directory-lock fallback when the import is unavailable
• write an owner token only so release() can avoid deleting a replacement lock
• remove stale reaping and heartbeat behavior from the fallback path

test/cache-lock.test.ts

• add a plugin-entry regression that imports ../index with a CommonJS-style proper-lockfile shape
• cover retry-only fallback behavior, owner-write cleanup, replacement-lock release safety, and no-stale-reap exclusivity

Validation

• npm run verify
• opencode auth login --print-logs
  • plugin loaded from /Users/bryanfont/Projects/iam-brain/opencode-openai-multi/dist/index.js
  • reached the provider picker without the previous proper-lockfile load failure

Follow-up

The earlier TTY auth investigation is still preserved in stash for the separate follow-up PR.