fix(sync): robust git coupling — non-ASCII paths, config neutralization, runtime git

Address git-integration fragility (output is not parsed for control flow; we rely
on exit codes + plumbing — but porcelain BEHAVIOR is config-sensitive, and the
runtime image lacked git).

- listTrackedFiles: `git -c core.quotepath=false ls-files -z` + NUL split — fixes
  Cyrillic/UTF-8 vault filenames being returned octal-escaped/quoted
- Dockerfile: install git (node:22-slim ships none; the daemon shells out at runtime)
- VaultGit env: LC_ALL=C/LANG=C, GIT_PAGER=cat, GIT_TERMINAL_PROMPT=0; keep
  stripping GIT_DIR/GIT_WORK_TREE (cwd-isolation, §12)
- ensureRepo local config: core.autocrlf=false + core.safecrlf=false (protect §11
  byte-stability from a global autocrlf=true), commit.gpgsign=false, and
  core.attributesFile=/dev/null (neutralize a global clean/smudge filter that
  would rewrite the stored blob); commit uses --no-verify (skip injected hooks)
- assertGitAvailable() preflight: clear error if the git binary is missing
- tests: Cyrillic listTrackedFiles, LF byte-preservation of the stored blob,
  local-config neutralization incl. attributesFile (590+ green)

src/pull.ts

@@ -119,6 +119,9 @@ async function main(): Promise<void> {
   // 1. Ensure the vault git repo exists with main + an initial commit, and the
   //    engine-only `docmost` branch exists, branched from main.
   const git = new VaultGit(vaultRoot);
+  // Preflight: fail fast (with an actionable message via main().catch) if the
+  // git binary is missing — the entire vault state store relies on it.
+  await git.assertGitAvailable();
   await git.ensureRepo();
 
   // 1b. Refuse to run on top of an unresolved merge (SPEC §9 / §12). A previous