fix(enroll): fifth audit hardening — guards, atomic writes, docker check

[mdheller]

Summary

• DISK_FREE_KB numeric guard: [[ "${DISK_FREE_KB}" =~ ^[0-9]+$ ]] before integer arithmetic — malformed df output on a remounted/tmpfs partition would previously cause a fatal (( )) arithmetic error with no diagnosis
• HARMONIA_PUBKEY empty guard: validates non-empty after reading harmonia-signing.pub, parallel to the SIGNING_PUBKEY guard added in audit workstation: wire shell spine into install.sh #4
• KATELLO_PASSWORD empty guard: validates non-empty after reading katello-admin-password — catches zero-byte file from a failed gen_password pipe
• Atomic SOPS write: secrets.yaml is written via mktemp in /etc/sourceos/ then mv; previously sops > ${SECRETS_YAML} would truncate the file before sops ran, leaving an empty ciphertext on failure
• Atomic nix-cache-info write: cat > .tmp then mv — prevents nginx from serving a partial file during the write
• Atomic write_enroll_nix: writes enroll.nix via .tmp + mv — a partial write leaving broken Nix syntax would silently poison the next nixos-rebuild with an obscure parse error
• Docker container started check: counts docker ps --filter name=katello after compose up -d; compose exits 0 even when containers crash-loop immediately, so the previous code could proceed to a 20-minute Foreman wait with zero containers running

Test plan

• Dry-run: bash -n scripts/enroll.sh — no syntax errors
• DISK_FREE_KB guard: mock df returning "N/A" → exits with parse error message
• HARMONIA_PUBKEY guard: truncate harmonia-signing.pub to empty → exits with diagnosis
• KATELLO_PASSWORD guard: empty katello-admin-password → exits with re-enroll instructions
• Atomic SOPS: kill sops mid-write → secrets.yaml unchanged (old ciphertext preserved)
• Docker check: compose up -d with no containers → exits with diagnostic before 20-min wait
• Full physical M2 enroll run (P0 test)