Demonstrate the basic worktree-to-deployment pipeline using a minimal container (rsync only). This is the simplest possible end-to-end path: check out a git revision, mount it into a container, rsync the output to a bind-mounted deployment target.

What this experiment covers

Checking out a specific git revision into a worktree layer
Starting a Docker container with:
- The worktree bind-mounted read-only as the source
- The deployment target bind-mounted writable as the destination
Running rsync inside the container to publish
Verifying the result on the host

What this experiment does NOT cover

Overlayfs (the worktree is a plain bind mount here — overlay comes later)
Caches
Container reuse / stop-start lifecycle
Network isolation

Deployment target

sites.efforting.tech — details TBD (path on host, permissions, ownership).

Open questions for this experiment

What user does the container run as, and how does it get write access to the deployment target?
Do we rsync into a staging path and then atomically swap, or write directly?
What is the exact rsync flags we want (delete extraneous files? preserve timestamps?)?