audit and harden all 13 plumbing commands for production

Each command received a consistent pass: - Short flags: -f/--format on hash-object, cat-object, rev-parse, ls-files, commit-graph; -j/--json on ls-remote; -n/--max on commit-graph - Input validation: validate_object_id() guard on cat-object, read-commit, read-snapshot, update-ref before touching the store - Memory safety: hash-object now uses write_object_from_path() (streaming shutil.copy2) instead of path.read_bytes() — eliminates heap spike for large blobs; cat-object streams raw bytes at 64 KiB chunks, no 256 MB cap - Dead code: removed _read_repo_id (double json import, no encoding) and trivial _current_branch wrappers from rev-parse, commit-tree, ls-files, pack-objects, commit-graph; pathlib imports cleaned up accordingly - Encoding: update-ref write_text(..., encoding='utf-8'); commit-tree _read_repo_id now uses encoding='utf-8' and fails fast on missing/malformed repo_id (prevents writing a commit with empty repo_id) - Format validation: all --format options now reject unknown values with a clear error instead of silently falling through - Type precision: commit-graph nodes typed as _CommitNode TypedDict (not dict[str, str | None]); pack-objects drops needless 'have or None' idiom - Error contract: read-commit and read-snapshot emit validation errors as JSON to stdout (not stderr) so scripts can parse them uniformly - unpack-objects: already clean, no changes