fix: emit warn diagnostic for I/O errors, keep silent only for ENOENT

Address Codex P1 + Greptile P2: the previous commit collapsed both
"path" (ENOENT) and "io" (EACCES/EMFILE) into silent null returns.

Now:
- reason="path" (missing file): return null silently — not a security issue
- reason="io" (permission/disk): push warn diagnostic — surface anomaly
  without aborting gateway
- reason="validation" (path escape): push error diagnostic — security violation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: HCL <chenglunhu@gmail.com>

src/plugins/discovery.ts

@@ -476,8 +476,17 @@ function resolvePackageEntrySource(params: {
     rejectHardlinks: params.rejectHardlinks ?? true,
   });
   if (!opened.ok) {
-    if (opened.reason !== "validation") {
-      // File missing (ENOENT) or I/O error — skip silently, not a security violation.
+    if (opened.reason === "path") {
+      // File missing (ENOENT) — skip, not a security violation.
+      return null;
+    }
+    if (opened.reason === "io") {
+      // Filesystem error (EACCES, EMFILE, etc.) — warn but don't abort.
+      params.diagnostics.push({
+        level: "warn",
+        message: `extension entry unreadable (I/O error): ${params.entryPath}`,
+        source: params.sourceLabel,
+      });
       return null;
     }
     params.diagnostics.push({