fix: correct deadlock in requestLock (await prevLock, not currentLock)
The previous implementation constructed currentLock as
`prevLock.then(() => new Promise(resolve => releaseLock = resolve))`
and then `await currentLock` before running `fn`. That inner promise
only resolves when `releaseLock()` runs, but `releaseLock()` is in
the same caller's `finally`, which is only reached after the await
returns. Every OAuth session restore was awaiting a promise only
the caller itself could resolve, and hanging forever.
Fix: construct currentLock as a plain release-signal promise, store
it into the map immediately, then `await prevLock` (the previous
holder's release signal) before calling `fn`. The existing cleanup
that deletes the map entry when `locks.get(key) === currentLock`
is preserved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>