Include local username in controlPath hash to prevent cross-user collisions

On multi-user systems, different users connecting to the same remote would
generate identical socket paths, causing permission errors. Now includes
os.userInfo().username in the hash to ensure socket isolation per user.

Addresses Codex review comment.

Author: ammar-agent

src/runtime/sshConnectionPool.test.ts

@@ -113,3 +113,20 @@ describe("sshConnectionPool", () => {
     });
   });
 });
+
+describe("username isolation", () => {
+  test("controlPath includes local username to prevent cross-user collisions", () => {
+    // This test verifies that os.userInfo().username is included in the hash
+    // On multi-user systems, different users connecting to the same remote
+    // would get different controlPaths, preventing permission errors
+    const config: SSHRuntimeConfig = {
+      host: "test.com",
+      srcBaseDir: "/work",
+    };
+    const controlPath = getControlPath(config);
+
+    // The path should be deterministic for this user
+    expect(controlPath).toBe(getControlPath(config));
+    expect(controlPath).toMatch(/^\/tmp\/cmux-ssh-[a-f0-9]{12}$/);
+  });
+});