Enforce manualmutexunlock in CI and eliminate non-deferred mutex unlock paths

[Copilot]

manualmutexunlock was registered but not enforced in CI, allowing production lock/unlock sequences that could leak locks on panic/early-return. This PR enables enforcement and refactors the remaining flagged sites to use deferred unlock patterns.

• CI enforcement

  • Updated .github/workflows/cgo.yml custom linter selector to include -manualmutexunlock in LINTER_FLAGS.

• Panic-safe lock handling in production paths

  • Replaced manual Lock/RLock → Unlock/RUnlock pairs with deferred unlocks (often via small scoped closures to keep lock lifetime tight) in:
    • pkg/agentdrain/miner.go
    • pkg/agentdrain/coordinator.go
    • pkg/console/spinner.go
    • pkg/cli/compile_watch.go
    • pkg/cli/docker_images.go
    • pkg/parser/virtual_fs.go
    • pkg/parser/virtual_fs_wasm.go

• Refactor pattern used

  • Converted branchy/manual unlock blocks into scope-contained critical sections with defer:

running := func() bool {
    s.mu.Lock()
    defer s.mu.Unlock()
    if !s.running {
        return false
    }
    s.running = false
    return true
}()

[Copilot]

Pull request overview

This PR enables CI enforcement of the manualmutexunlock custom linter and refactors remaining production mutex unlock paths to use deferred unlock patterns for panic-safe lock release.

Changes:

• Adds -manualmutexunlock to the custom linter flags in the CGO workflow.
• Converts manual mutex unlock sequences to defer-based unlocks.
• Uses scoped closures where needed to keep critical sections narrow.

Show a summary per file

File	Description
.github/workflows/cgo.yml	Enables manualmutexunlock in the enforced custom linter set.
pkg/agentdrain/coordinator.go	Defers coordinator read-lock release in minerFor.
pkg/agentdrain/miner.go	Defers miner locks in event training and analysis paths.
pkg/cli/compile_watch.go	Refactors debounce mutex handling to deferred unlocks.
pkg/cli/docker_images.go	Refactors Docker mock state and download cleanup locking.
pkg/console/spinner.go	Refactors spinner lifecycle locking to deferred unlocks.
pkg/parser/virtual_fs.go	Defers builtin virtual file read-lock release.
pkg/parser/virtual_fs_wasm.go	Defers builtin virtual file read-lock release in wasm builds.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 8/8 changed files
• Comments generated: 0