feat: implement announcement purgatory core (breaks archive sync test)

Route new announcements to purgatory instead of accepting immediately.
Announcements are promoted to the database when git data arrives,
ensuring we only serve announcements for repos with actual content.

Implemented:
- AnnouncementPurgatoryEntry type and DashMap store
- Route new announcements to purgatory (replacement announcements skip)
- Promote announcements on git data arrival (process_purgatory_announcements)
- Authorization checks purgatory announcements (fetch_repository_data_with_purgatory)
- State policy uses purgatory announcements for maintainer validation
- Cleanup task handles announcement expiry
- Updated count()/cleanup() to 3-tuples

Known broken:
- test_archive_read_only_creates_bare_repo fails: sync module does not
  treat purgatory announcements as confirmed repos, so per-repo sync
  (state events, PRs) is never triggered for purgatory announcements
- Announcement persistence (save/restore) not implemented
- SyncLevel (StateOnly vs Full) not implemented
- Soft expiry two-phase not implemented
- Expiry extension on state event / git auth not wired up

1 files changed, 36 insertions, 2 deletions

diff --git a/src/git/authorization.rs b/src/git/authorization.rs
index e174b51..9d53c4f 100644
--- a/src/git/authorization.rs
+++ b/src/git/authorization.rs
@@ -287,6 +287,39 @@ pub async fn fetch_repository_data(
     })
 }
 
+/// Fetch repository data including announcements from purgatory
+///
+/// This combines database announcements with purgatory announcements,
+/// which is needed for authorization when the announcement hasn't been
+/// promoted yet (no git data has arrived).
+pub async fn fetch_repository_data_with_purgatory(
+    database: &SharedDatabase,
+    purgatory: &crate::purgatory::Purgatory,
+    identifier: &str,
+) -> Result<RepositoryData> {
+    // First, fetch from database
+    let mut repo_data = fetch_repository_data(database, identifier).await?;
+
+    // Then, add announcements from purgatory
+    let purgatory_announcements = purgatory.get_announcements_by_identifier(identifier);
+    let purgatory_count = purgatory_announcements.len();
+
+    for entry in purgatory_announcements {
+        if let Ok(announcement) = RepositoryAnnouncement::from_event(entry.event) {
+            repo_data.announcements.push(announcement);
+        }
+    }
+
+    debug!(
+        "Fetched repository data with purgatory: {} announcements ({} from purgatory), {} states",
+        repo_data.announcements.len(),
+        purgatory_count,
+        repo_data.states.len()
+    );
+
+    Ok(repo_data)
+}
+
 pub fn pubkey_authorised_for_repo_owners(
     pubkey: &PublicKey,
     db_repo_data: &RepositoryData,
@@ -539,8 +572,9 @@ pub async fn get_state_authorization_for_specific_owner_repo(
     use crate::git::list_refs;
     use crate::purgatory::RefUpdate;
 
-    // Fetch announcements only - we don't need database states
-    let repo_data = fetch_repository_data(database, identifier).await?;
+    // Fetch announcements from database AND purgatory - needed for authorization
+    // when the announcement hasn't been promoted yet (no git data has arrived)
+    let repo_data = fetch_repository_data_with_purgatory(database, purgatory, identifier).await?;
 
     if repo_data.announcements.is_empty() {
         return Ok(AuthorizationResult::denied(