Closes #730.

Summary

• POSIX --force semantics rely on unlink-while-open — shutil.rmtree succeeds with a live SQLite writer because the directory entry vanishes while the inode lives until the fd closes.
• Windows refuses to unlink files held by an open handle (WinError 32), so the previous behavior crashed mid-_delete_inventory and left the state directory half-wiped.
• This PR pins the contract to option (a) from the issue: refuse cleanly with a Windows-specific message instead of attempting a partial wipe. Exit code 2, mirroring the existing refusal path.
• The trailing pass --force to override advice in the existing not-force refusal block is also dropped on Windows (it would just refuse again), and lsof / ps aux hints are replaced with handle.exe / Task Manager / Get-Process so the guidance is actionable on each platform.
• The previously-skipped test_force_overrides_db_lock is replaced with a POSIX/Windows pair. The Windows variant seeds a sentinel non-DB file (config.json + memories/) and asserts they survive — proving the refusal fired before _delete_inventory ran, not after a partial wipe.

Out of scope (orthogonal follow-up)

Q2 from the issue — transactional wipe (stage to a sibling dir + atomic rename on success) is intentionally NOT in this PR. It helps even on POSIX (mid-rmtree perm/FS errors leave half-gone state today), but bundling it would muddle the contract decision. Will file a separate issue/PR.

Test plan

• uv run ruff check + ruff format --check (clean)
• uv run mypy packages/memtomem/src/memtomem/cli/uninstall_cmd.py (clean)
• uv run pytest packages/memtomem/tests/test_uninstall_cmd.py -m "not ollama" — 28 passed, 1 skipped (the Windows-only test, as expected on macOS)
• Windows CI lane: new test_force_refuses_on_windows_when_writer_alive runs and passes; test_force_overrides_db_lock_posix is skipped; test_refuses_when_writer_holds_lock passes with the platform-conditional lsof/handle.exe assertion.

🤖 Generated with Claude Code