fix: harden ssh local tunnel binding against TOCTOU races

[eliottwantz]

Closes #216

Summary

Harden SSH local port forwarding against a TOCTOU race during tunnel setup.

Previously, TablePro scanned for a free local port, released it, and only then launched ssh -L .... Another local process could bind that port in the gap between the availability check and the actual ssh bind.

This change removes that race by letting ssh perform the bind directly and retrying only when ssh reports a local forwarding bind failure.

What changed

• Replaced the pre-bind findAvailablePort() flow with launch-and-retry logic over candidate ports
• Added -o ExitOnForwardFailure=yes so local forwarding bind failures fail fast
• Bound the local forward explicitly to 127.0.0.1
• Tightened readiness checks so the forwarded port must:
  • accept connections, and
  • be owned by the launched process tree
• Added focused unit tests for:
  • retryable local bind failures
  • process-tree ownership detection

Why

The old flow had a classic TOCTOU window:

1. TablePro checked whether a local port was free
2. The check released the port
3. ssh later attempted to bind the same port

A competing local process could win that race and either:

• cause ssh to fail binding, or
• be mistaken for the expected tunnel if readiness only checked whether something was listening

This PR makes tunnel setup fail closed and retries only on the specific local bind race case.

Testing

• Added unit coverage for bind-failure classification
• Added unit coverage for process-tree ownership checks

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[eliottwantz]

I have read the CLA Document and I hereby sign the CLA.