feat(git-sync): per-space toggle for conflict-marker handling on push (#13)

Red-team #13 (conflict markers reaching Docmost) is now a per-space policy
exposed as a UI toggle, instead of a hardcoded behavior. New boolean
`gitSync.autoMergeConflicts` (default FALSE), mirroring the existing per-space
`gitSync.enabled` flag end-to-end (jsonb space settings -> update-space DTO ->
space.service -> client types -> space settings form switch):

- OFF (default, safe): a page whose committed body still has unresolved git
  conflict markers is NOT pushed — it is recorded as a per-page push FAILURE
  ("unresolved conflict markers — resolve in git first"). Recording a failure
  (not a soft skip) deliberately HOLDS refs/docmost/last-pushed so the conflict
  commit is never marked pushed and a later pull cannot clobber the user's
  in-progress resolution; the page retries until the conflict is resolved in git.
- ON: the marker lines are stripped and both sides' content is pushed (the prior
  behavior), so the conflict becomes visible/fixable inside Docmost.

The engine Settings carries `autoMergeConflicts`; runPush threads it into the
update AND create paths. The orchestrator's buildSettings reads the per-space
flag from jsonb (strict opt-in like `enabled`, default false).

Tests: redteam-push-cycle #13 rewritten (default -> not pushed + failure + refs
held; ON -> strip-and-push); space.service + edit-space-form + orchestrator
specs extended. git-sync vitest 618, server jest space+git-sync 163, client
edit-space-form 11, server/client tsc clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

apps/server/src/integrations/git-sync/services/git-sync.orchestrator.ts

@@ -107,11 +107,24 @@ export class GitSyncOrchestrator implements OnModuleInit, OnModuleDestroy {
    * datasource writes in-process — so they are placeholders; only `vaultPath`,
    * `gitRemote`, and the tunables are load-bearing.
    */
-  private buildSettings(spaceId: string): Settings {
+  private async buildSettings(spaceId: string): Promise<Settings> {
     const remoteTemplate = this.environmentService.getGitSyncRemoteTemplate();
     const gitRemote = remoteTemplate
       ? remoteTemplate.replace(/\{spaceId\}/g, spaceId)
       : undefined;
+    // Per-space PUSH policy for still-conflicted page bodies (SPEC §9): read the
+    // `gitSync.autoMergeConflicts` flag from the space's jsonb settings. STRICT
+    // opt-in like `enabled` — anything other than the literal 'true' (absent, null,
+    // 'false') resolves to the SAFE default (skip a conflicted page, do not push).
+    const row = await this.db
+      .selectFrom('spaces')
+      .select(
+        sql<boolean>`settings->'gitSync'->>'autoMergeConflicts' = 'true'`.as(
+          'autoMergeConflicts',
+        ),
+      )
+      .where('id', '=', spaceId)
+      .executeTakeFirst();
     return {
       docmostApiUrl: 'http://native.local',
       docmostEmail: 'native@local',
@@ -122,6 +135,7 @@ export class GitSyncOrchestrator implements OnModuleInit, OnModuleDestroy {
       pollIntervalMs: this.environmentService.getGitSyncPollIntervalMs(),
       debounceMs: this.environmentService.getGitSyncDebounceMs(),
       logLevel: 'info',
+      autoMergeConflicts: row?.autoMergeConflicts ?? false,
     };
   }
 
@@ -249,7 +263,7 @@ export class GitSyncOrchestrator implements OnModuleInit, OnModuleDestroy {
     signal?: AbortSignal,
   ): Promise<GitSyncRunStatus> {
     const { runCycle } = await loadGitSync();
-    const settings = this.buildSettings(spaceId);
+    const settings = await this.buildSettings(spaceId);
     const vault = await this.vaultRegistry.getVault(spaceId);
     const client = this.dataSource.bind({ workspaceId, userId: serviceUserId });
     const maxDeletes = this.environmentService.getGitSyncMaxDeletesPerCycle();