fix(git-sync): address PR #119 review — close 403/404 space-existence leak + warnings/tests/arch

Security (must-fix):
- /git smart-HTTP gate: an authenticated NON-member of a git-sync space now gets
  404 (not 403), so the 403<->404 difference can no longer be used to brute-force
  which spaces exist / have git-sync enabled. 403 is reserved for a MEMBER who
  lacks the required role (existence already known). New gate input
  userIsSpaceMember; decision-table + service specs extended.

Config (must-fix):
- Remove the dead GIT_SYNC_SSH_KEY_PATH knob (getter + validation field + two
  .env.example lines) — it had zero consumers and advertised a nonexistent push
  capability.

Stability/docs (warnings):
- Wire the lost-lock AbortSignal into runReceivePack -> git http-backend so the
  receive-pack child is killed if the per-space lock lapses mid-write.
- Raise the divergent-`docmost` (invariant §5) push refusal from info -> warn and
  surface divergentDocmost in the run status (/status).
- Comment the stale read-after-debounced-collab-write updatedAt in
  importPageMarkdown (deferred §10 loop-guard must not trust it).
- Fix the Dockerfile comment: the loader uses require.resolve + dynamic import(),
  it deliberately does NOT require('@docmost/git-sync').
- Merge the two near-identical space toggle handlers into one parameterized
  handler; add the 2 missing en-US i18n keys for the auto-merge switch (ru-RU not
  maintained for these git-sync strings, mirrored).

Tests:
- isGitSyncHttpEnabled() default-branch (unset -> isGitSyncEnabled fallback).
- agentSourceFields 'git-sync' case (source stamped, chat key omitted).
- editor-ext name-level schema contract (vendored mirror superset of editor-ext
  node/mark types) + the new shared resolver + non-member 404 gate cases.

Architecture:
- Extract resolveRequestWorkspace shared by DomainMiddleware + GitHttpService
  (the two real self-hosted/cloud copies; McpService has no cloud branch).
- Document the in-process setInterval multi-replica limitation + BullMQ/fencing
  future direction (deferred, not implemented).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packages/git-sync/test/schema-editor-ext-contract.test.ts

@@ -0,0 +1,79 @@
+import { describe, it, expect } from "vitest";
+import { getSchema } from "@tiptap/core";
+
+import { docmostExtensions } from "../src/lib/docmost-schema.js";
+import * as editorExt from "@docmost/editor-ext";
+
+// CROSS-PACKAGE SCHEMA CONTRACT (data-loss-sensitive).
+//
+// `src/lib/docmost-schema.ts` is a hand-synced VENDORED MIRROR of the canonical
+// Docmost schema in `@docmost/editor-ext`. The sibling `schema-surface-snapshot`
+// test pins the mirror's FULL surface (names + attrs) against an inline
+// reference, but that reference is hand-curated and does not mechanically tie to
+// editor-ext. This test closes that gap from the other side: it reads the ACTUAL
+// Tiptap node/mark definitions exported by `@docmost/editor-ext` and asserts the
+// vendored mirror is a SUPERSET of their type NAMES — so a Docmost-specific node
+// or mark added upstream that the mirror forgets to vendor fails CI loudly
+// (otherwise it is silently dropped on the markdown <-> ProseMirror round-trip).
+//
+// LIMITATION (intentional, see schema-surface-snapshot.test.ts): this is a
+// NAME-LEVEL contract only, not a full attribute-level structural compare.
+// editor-ext's Tiptap representation (node views, commands, suggestion plugins,
+// addGlobalAttributes spread across separate extensions) differs from this
+// minimal mirror, so a mechanical attribute-by-attribute equality would be
+// fragile and produce false drift. Attribute parity is guarded by the inline
+// surface snapshot (reviewed in every diff); this test guards that no canonical
+// node/mark TYPE goes unmirrored. StarterKit-provided types (paragraph, bold,
+// heading, …) are contributed by @tiptap/starter-kit in the mirror rather than
+// by editor-ext, so they are naturally covered by the mirror's superset.
+
+/** Tiptap Node/Mark instances expose a `.name` and a `.type` of 'node'|'mark'. */
+function isTiptapNodeOrMark(
+  value: unknown,
+): value is { name: string; type: "node" | "mark" } {
+  return (
+    typeof value === "object" &&
+    value !== null &&
+    "name" in value &&
+    typeof (value as { name: unknown }).name === "string" &&
+    "type" in value &&
+    ((value as { type: unknown }).type === "node" ||
+      (value as { type: unknown }).type === "mark")
+  );
+}
+
+/** The set of node/mark type names the vendored mirror actually registers. */
+function vendoredNames(): Set<string> {
+  const schema = getSchema(docmostExtensions as never);
+  return new Set([
+    ...Object.keys(schema.nodes),
+    ...Object.keys(schema.marks),
+  ]);
+}
+
+/** The Docmost-specific node/mark type names exported by @docmost/editor-ext. */
+function editorExtNames(): Set<string> {
+  const names = new Set<string>();
+  for (const value of Object.values(editorExt)) {
+    if (isTiptapNodeOrMark(value)) names.add(value.name);
+  }
+  return names;
+}
+
+describe("docmost schema vs @docmost/editor-ext (name-level contract)", () => {
+  it("exposes Tiptap node/mark definitions from editor-ext (guards against the import going dark)", () => {
+    // If editor-ext ever stops exporting concrete node/mark objects (e.g. a
+    // barrel refactor), this contract would vacuously pass — assert it found a
+    // meaningful set so the test cannot silently become a no-op.
+    expect(editorExtNames().size).toBeGreaterThan(5);
+  });
+
+  it("vendors every Docmost-specific node/mark type defined in editor-ext (no silently-dropped types)", () => {
+    const vendored = vendoredNames();
+    const missing = [...editorExtNames()].filter((n) => !vendored.has(n)).sort();
+    // missing must be empty: any name here exists in editor-ext but NOT in the
+    // vendored mirror, so documents using it would lose that node/mark on a
+    // git-sync round-trip. Re-sync src/lib/docmost-schema.ts before clearing.
+    expect(missing).toEqual([]);
+  });
+});