Fix: recovery amplification loop and provider echo race (INV-SAFETY-02)

[Droyder7]

fixes #46

This PR resolves the unbounded file growth and data corruption loops observed during editor-bound
recoveries. The fix addresses a multi-layer root cause where the system misclassified its own
repairs as remote edits and inappropriately applied stale editor state back to the CRDT during
active recovery cycles.

Technical Details

The fix implements a defense-in-depth approach across three subsystems to enforce the
INV-SAFETY-02 and INV-EDIT-02 invariants:

1. Provider Echo Suppression (DiskMirror):

   • Implemented a TTL-based hash tracking mechanism (recentRepairEchoes) to identify local
     repair writes.
   • Refactored the afterTransaction observer to be asynchronous. It now computes the hash of
     incoming "remote" updates and suppresses disk writes if they are confirmed to be echoes of
     a recent local repair. This closes the race window where a stale echo could overwrite a
     concurrent external disk edit.

2. Recovery Guard (EditorBindingManager):

   • Added a strict runtime guard to the heal() method. It now accepts an
     isDiskAuthorityRecoveryActive predicate.
   • If a recovery is active for a path, heal() (writing editor → CRDT) is skipped in favor of
     repair() (applying CRDT → editor). This prevents "Frankenstein" patches from stale editor
     state from undoing a successful disk-authority recovery.

3. State Exposure (ReconciliationController):

   • Exposed isDiskAuthorityRecoveryActive() to allow other subsystems (like the editor binding)
     to respect active recovery locks.

4. Origin Cleanup:

   • Centralized all repair-related origin constants in LOCAL_STRING_ORIGIN_SET to prevent
     future classification failures.

Motivation
Previously, a local repair would trigger a Yjs provider echo that looked like a remote change.
This caused DiskMirror to schedule a disk write, which triggered a vault event, re-starting the
reconciliation and creating an infinite loop. Additionally, concurrent health checks in the editor
would often "heal" the CRDT back to a stale state before the editor had settled on the new
recovered content.

Verification

• New Integration Tests:
  • tests/inv-safety-02-round-trip.ts: Verifies echo suppression and prevents data loss against
    concurrent external edits.
  • tests/inv-edit-02-heal-after-recovery.ts: Verifies that heal() is correctly blocked during
    active recovery.
• Full Regression Suite: All 66 test suites passed.
• Fixes: Sync loop glitching making edits impossible #22, [Bug] Single-device infinite editor-bound sync loop in daily note (57-char Frankenstein chunk re-appended every ~4s) #25

Alternative Approaches Considered
We considered purely timing-based suppression, but content-hash verification in the
echo-suppressor was chosen for higher reliability, as it explicitly confirms the content matches
the repair before skipping the write.