Filesystem-backed ref store.
Defense-in-depth ref name validation
Every public entry point (read_ref/2, resolve_ref/2, write_ref/4,
delete_ref/2) revalidates its ref argument against
Exgit.RefName.valid?/1 before any Path.join or file touch. The
clone/fetch perimeter already filters hostile ref names in
safe_ls_refs/2, but a direct caller of this module — or a follow-up
resolve_ref/2 that reads a ref: ../../etc/passwd target out of a
compromised on-disk ref file — would otherwise reach File.read with
an attacker-controlled path. We reject those inputs with
{:error, :invalid_ref_name} and emit a
[:exgit, :security, :ref_rejected] telemetry event.