fix(update): prevent updateRemoveDir from deleting non-wrapper directories

The ?? fallback after wrapperSpec() returned undefined was reading
dependencies from an arbitrary parent directory's package.json,
which could match and return that directory as the removal target.

For example, when the plugin sits inside .config/opencode/node_modules/,
updateRemoveDir would return .config/opencode as the dir to rm -rf,
because .config/opencode/package.json lists the DCP dependency.

Remove the fallback entirely. wrapperSpec() is the sole authority:
if the wrapper directory doesn't match the expected opencode naming
convention (@scope/pkg@spec), return undefined.

Add a regression test that reproduces the .config/opencode-like
directory structure and asserts undefined is returned.

Author: zhexulong

lib/update.ts

@@ -87,8 +87,7 @@ export async function updateRemoveDir(packageDir: string, name: string) {
     if (basename(nodeModulesDir) !== "node_modules") return undefined
 
     const wrapperDir = dirname(nodeModulesDir)
-    const wrapperPkg = await readPackageJson(join(wrapperDir, "package.json"))
-    const spec = wrapperSpec(wrapperDir, name) ?? wrapperPkg?.dependencies?.[name]
+    const spec = wrapperSpec(wrapperDir, name)
     if (!spec || !isAutoUpdatableSpec(spec)) return undefined
 
     return wrapperDir

tests/update.test.ts

@@ -40,6 +40,23 @@ test("updateRemoveDir removes opencode npm wrapper for latest installs", async (
     assert.equal(await updateRemoveDir(packageDir, "@tarquinen/opencode-dcp"), wrapperDir)
 })
 
+test("updateRemoveDir rejects directories not matching opencode wrapper naming", async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), "dcp-update-"))
+    // Simulate .config/opencode-like setup: plugin lives in node_modules but
+    // the parent dir is NOT an @scope/pkg@spec wrapper — updateRemoveDir
+    // must NOT return the parent dir even if its package.json lists the dep.
+    const packageDir = join(rootDir, "node_modules", "@tarquinen", "opencode-dcp")
+    await writePackageJson(rootDir, {
+        dependencies: { "@tarquinen/opencode-dcp": "latest" },
+    })
+    await writePackageJson(packageDir, {
+        name: "@tarquinen/opencode-dcp",
+        version: "3.1.9",
+    })
+
+    assert.equal(await updateRemoveDir(packageDir, "@tarquinen/opencode-dcp"), undefined)
+})
+
 test("updateRemoveDir skips version-locked opencode installs", async () => {
     const rootDir = await mkdtemp(join(tmpdir(), "dcp-update-"))
     const wrapperDir = join(rootDir, "@tarquinen", "opencode-dcp@3.1.9")