fix(Pull-SDLC): make drift gate EOL-insensitive to avoid false positives

[MarkMichaelis]

Summary

Test-LocalDriftOnManagedPaths (the Pull-SDLC drift gate) compared raw
committed blob SHAs (HEAD:<path> vs <anchor>:<path>). Blob SHAs are
end-of-line sensitive, so a Windows consumer whose git committed the
synced files with CRLF ended up with HEAD blobs that differ from the
upstream LF blobs even though the content was byte-for-byte identical
after EOL normalization. The result was a spurious POLICY VIOLATION on
a completely clean working tree.

Diagnosis (issue #178)

Reproduced on the affected consumer (CopyToGooglePhotos) against anchor
f7d1f13:

• Every flagged instruction/skill/meta-script file showed a full
  raw diff but an EMPTY git diff --ignore-cr-at-eol -- i.e. EOL-only
  divergence (a false positive).
• The four .github/agents/*.agent.md files were genuine divergence
  (deleted upstream, still committed downstream) and remain correctly
  flagged.

Fix

When the fast blob-SHA pre-filter detects a difference, confirm it with
an EOL-insensitive content diff (git diff --quiet --ignore-cr-at-eol)
before reporting drift. Only paths that still differ after ignoring
CR-at-EOL are reported. Genuine divergence -- including upstream-deleted
files the consumer still has committed -- is preserved.

Tests

Added a Test-LocalDriftOnManagedPaths Describe block (behavior-first):

1. CRLF-vs-LF-only difference -> no drift (fails before the fix:
   "Expected 0, but got 1").
2. Genuine content change -> drift reported.
3. Upstream-deleted file still committed -> drift reported.

Full suite: 187 passed, 0 failed.

Closes #178