fix(entity_registry): clean up .tmp sidecar on write or rename failure (#1373)

[arnoldwender]

What and Why

#1215 made EntityRegistry.save() atomic via temp-file + fsync + os.replace. Crash-mid-write durability is correct — the previous registry stays intact on any failure. But the .tmp sidecar was left on disk if f.write() / f.flush() / os.fsync() / os.replace() raised. Subsequent saves overwrite the same temp filename so this does not grow unboundedly, but it litters the palace directory and obscures diagnostics: a user inspecting entity_registry.json.tmp after a crash cannot tell whether it is the in-flight write of an ongoing process or stale debris from a prior failure.

@igorls flagged this in #1373.

Root Cause

mempalace/entity_registry.py:328-338 — the write + chmod + os.replace block ran without an outer try/except. The with open(...) as f: block closes the fd on exit but does not unlink the file. If f.write(), f.flush(), or os.fsync() raised (disk full, perms flip, broken FUSE mount, IO error), the temp file stayed. If os.replace() raised, same outcome.

Reproduction

import os, pytest
from mempalace.entity_registry import EntityRegistry

registry = EntityRegistry.load(config_dir=tmp_path)
registry.seed(mode='personal', people=[{'name': 'Alice', 'relationship': 'friend', 'context': 'personal'}], projects=[])
registry.save()

# Force os.fsync to raise — simulates IO error after bytes are in page cache
real_fsync = os.fsync
os.fsync = lambda fd: (_ for _ in ()).throw(OSError('IO error'))
try:
    registry.seed(mode='personal', people=[{'name': 'Bob', ...}], projects=[])
    registry.save()
except OSError:
    pass
os.fsync = real_fsync

# Before this PR:
list(tmp_path.glob('entity_registry.json.tmp*'))  # ['entity_registry.json.tmp']  ← litter

# After this PR:
list(tmp_path.glob('entity_registry.json.tmp*'))  # []

Change Summary

• mempalace/entity_registry.py:328-348 — wrap the write + chmod + os.replace block in try/except BaseException. On failure, tmp_path.unlink(missing_ok=True) and re-raise. The dir-fsync stays outside the try because it only runs on the successful-rename path.
• Cleanup uses BaseException so KeyboardInterrupt mid-write also leaves a clean directory; the inner unlink itself is wrapped against an OSError race so cleanup cannot mask the original exception.
• tests/test_entity_registry.py — augment test_save_preserves_previous_on_serialization_failure with an additional assert leftover == [] after the forced os.replace failure.
• tests/test_entity_registry.py — new test_save_cleans_tmp_on_write_failure that forces os.fsync to raise (the gap between write and rename that the existing test does not cover) and asserts both the durability invariant (previous registry intact) and the cleanup invariant (no .tmp sidecar left).

Test Plan

• All 32 test_entity_registry.py tests pass.
• Full suite: 1549 passed (1548 → 1549, my new test); 76 pre-existing failures on macOS ARM64 are the chromadb_rust_bindings segfault tracked in chromadb_rust_bindings segfaults on macOS 26.4 (Darwin 25.4) ARM64 — all >=1.5.4,<2 versions affected #1355 and are identical on pristine develop.
• ruff check . passes on both modified files.
• ruff format --check . passes.
• Manually verified: forcing os.fsync and os.replace to raise leaves no .tmp litter; previous registry content unchanged.

Closes #1373.

[arnoldwender]

Rebased on upstream/develop (latest 1247e17, post-3.3.5 release). No logical changes — conflict-free rebase, only commit replay onto current develop. CI green pre-rebase; awaiting fresh CI run.