Fix concurrent SetSecret calls silently clobbering each other

[JAORMX]

Summary

• EncryptedManager had a TOCTOU race: it loaded the secrets file at construction time and wrote that stale snapshot back under the file lock, silently overwriting changes from other processes. In practice, OAuth token refreshes from long-running proxy processes would clobber secrets set by concurrent thv secret set CLI invocations (and vice versa), causing ~8% secret loss under contention.
• Mutations (SetSecret, DeleteSecret, Cleanup) now re-read the file from disk inside the critical section before applying changes, eliminating the stale-snapshot problem.
• Added a per-path in-process sync.Mutex to WithFileLock because flock(2) does not provide mutual exclusion between different file descriptors within the same process.

Fixes #4339

Type of change

• Bug fix

Test plan

• Unit tests (task test) — existing TestEncryptedManager_Concurrency now passes reliably (previously flaky); ran 50 iterations with zero failures
• Manual testing — verified go vet passes on both changed packages

Changes

File	Change
pkg/secrets/encrypted.go	SetSecret/DeleteSecret/Cleanup now read-modify-write inside the lock instead of using a stale in-memory snapshot; extracted readFileSecrets/writeFileSecrets helpers; simplified NewEncryptedManager to reuse readFileSecrets
pkg/fileutils/lock.go	Added per-path sync.Mutex registry (processLocks) so WithFileLock serializes both across processes (flock) and within the same process (mutex)

Does this introduce a user-facing change?

Yes — thv secret set will no longer silently lose secrets when other processes (e.g. OAuth token refreshes) write to the secrets file concurrently. Users who previously needed retry-based workarounds (#4339) should no longer experience secret loss.

Special notes for reviewers

• The in-memory syncmap.Map cache is now updated with targeted Store/Delete calls (not a full cache replacement) to avoid a window where concurrent GetSecret reads see an empty cache. This means the cache may not reflect keys added by other processes, but that's acceptable: CLI one-shots create a fresh manager per invocation, and long-running proxies only need their own tokens.
• readFileSecrets handles empty files and missing files gracefully, returning an empty map rather than erroring.
• The DeleteSecret existence check moved inside the lock and now checks the on-disk state, not the potentially-stale in-memory cache.

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 46.96970% with 35 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.38%. Comparing base (074326e) to head (beb1198).
⚠️ Report is 9 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/secrets/encrypted.go	42.10%	11 Missing and 22 partials ⚠️
pkg/fileutils/lock.go	77.77%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4345      +/-   ##
==========================================
- Coverage   68.45%   68.38%   -0.08%     
==========================================
  Files         479      479              
  Lines       48642    48669      +27     
==========================================
- Hits        33300    33281      -19     
- Misses      12373    12390      +17     
- Partials     2969     2998      +29     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[amirejaz]

Solid fix — the read-modify-write pattern inside the lock and the processLocks in-process mutex address the root cause cleanly. The Stat() removal is correct: readFileSecrets replaces stat.Size() > 0 with len(data) == 0 after os.ReadFile, and also handles the non-existent file case. A few gaps below.