syncLocal() was a no-op: sync() on a local (file://) repo never
verified anything. Auto-discovered dev repos under /mere/dev/repo/
are safe because repo_sources.zig verifies before ever constructing a
RepoCache, but a file:// repo declared directly in config.kdl reached
this path with its own trusted_fingerprints configured and unchecked -
a repo.db signed by any key, or no key at all, would be trusted.
syncLocal now verifies the in-place repo.db/repo.db.sig against
trusted_fingerprints using the same verifyWithTrustedFingerprints path
remote sync already uses.
Two existing multi-repo tests (install.zig) had been signing a
differently-named db file (e.g. repo1.db) than the one Repository.init
actually reads from (the fixed repo.db/repo.db.sig filenames) - a
latent inconsistency invisible while local sync verified nothing.
Fixed both to sign the file that's actually read. Added a regression
test proving a local repo signed with an untrusted key is rejected;
verified it fails without the fix.