fix: surface scan findings across dlx + stdio + promise-queue

- src/promise-queue.ts: wrap task.fn() via Promise.resolve().then() so
  a sync throw inside the task function converts into a proper rejection
  routed to task.reject instead of escaping as an uncaught exception.
- src/stdio/progress.ts: clamp negative ms in formatTime() so a negative
  ETA (current > total due to over-ticking or clock skew) no longer
  renders as "-1m59s".
- src/dlx/lockfile.ts: wrap the scratch-dir safeDelete in finally with
  its own try/catch so a cleanup failure doesn't clobber the real
  exception from the try-block.
- src/dlx/package.ts: normalize parsePackageSpec to return
  `version: undefined` for a bare trailing "@" (e.g. "pkg@") so
  downstream "no version" checks behave consistently.
- src/dlx/manifest.ts: correct the @fileoverview "Primary API" list to
  match the actual DlxManifest methods (get/set/clear/clearAll/isFresh/
  getManifestEntry) and flag setPackageEntry/setBinaryEntry as deprecated.

From scan findings: not fixing stdio/prompts.ts's silent swallow — the
tests in test/unit/stdio/prompts.test.mts explicitly assert that
non-TypeError rejections return undefined (that's the documented
Ctrl-C path). Discarded three scanner claims that were wrong (already
handled by existing guards). Full suite: 6290 passing.

Author: jdalton

src/dlx/lockfile.ts

@@ -228,6 +228,10 @@ export async function generatePackagePin(
       lockfile: ideal.lockfile,
     }
   } finally {
-    await safeDelete(scratch, { force: true })
+    // Swallow cleanup failures so a scratch-dir-delete error doesn't
+    // mask the real exception from the try-block.
+    try {
+      await safeDelete(scratch, { force: true })
+    } catch {}
   }
 }

src/dlx/manifest.ts

@@ -3,10 +3,16 @@
  * Manages persistent caching of DLX package and binary metadata with TTL support
  * and atomic file operations.
  *
- * Key Functions:
- * - getManifestEntry: Retrieve manifest entry by spec
- * - setPackageEntry: Store npm package metadata
- * - setBinaryEntry: Store binary download metadata
+ * Primary API (on {@link DlxManifest}):
+ * - `getManifestEntry(spec)` — retrieve a manifest entry by spec
+ * - `set(name, record)` — store a raw `StoreRecord`
+ * - `get(name)` — read a raw `StoreRecord`
+ * - `clear(name)` / `clearAll()` — eviction
+ * - `isFresh(record, ttlMs)` — TTL check
+ *
+ * Legacy typed setters `setPackageEntry` and `setBinaryEntry` exist but
+ * are deprecated; new callers should construct a `StoreRecord` and use
+ * `set(name, record)` directly.
  *
  * Features:
  * - TTL-based cache expiration

src/dlx/package.ts

@@ -851,9 +851,12 @@ export function parsePackageSpec(spec: string): {
       // No version or scoped package without version (@ only at position 0).
       return { name: spec, version: undefined }
     }
+    const sliced = spec.slice(atIndex + 1)
     return {
       name: spec.slice(0, atIndex),
-      version: spec.slice(atIndex + 1),
+      // A trailing `@` (e.g. `'pkg@'`) yields an empty slice — normalize
+      // to undefined so downstream "no version" checks behave.
+      version: sliced || undefined,
     }
   }
 }

src/promise-queue.ts

@@ -70,8 +70,11 @@ export class PromiseQueue {
 
     this.running++
 
-    task
-      .fn()
+    // Wrap in Promise.resolve().then() so a synchronous throw inside
+    // task.fn() converts into a rejection routed to task.reject rather
+    // than escaping as an uncaught exception.
+    Promise.resolve()
+      .then(() => task.fn())
       .then(task.resolve)
       .catch(task.reject)
       .finally(() => {

src/stdio/progress.ts

@@ -232,7 +232,9 @@ export class ProgressBar {
    * Format time in seconds to human readable.
    */
   private formatTime(ms: number): string {
-    const seconds = Math.round(ms / 1000)
+    // Clamp negatives (can happen when current > total due to over-ticking
+    // or clock skew) to 0 so we don't render "-1m59s".
+    const seconds = Math.max(0, Math.round(ms / 1000))
     if (seconds < 60) {
       return `${seconds}s`
     }