fix: gate Ford VP44 unlock on CAN liveness to prevent false-unlocked reads

Before this fix, StartUnlockIfRequired was called immediately after
registering the pump's CAN parameters, before any frames had been
decoded. The TestUnlock parameter's zero-initialised Value was
interpreted as "unlocked" for Type 1 pumps, causing Phase 1 to be
skipped and UnlockCompleted(true) to fire falsely.

Changes:
- ICanService: add IsPumpAlive property (volatile-backed in PcanAdapter)
- PcanAdapter: implement IsPumpAlive; mark _pumpAlive/_benchAlive volatile
  for safe cross-thread reads
- MainViewModel: replace direct StartUnlockIfRequired call with a
  fire-and-forget WaitForPumpCanThenUnlockAsync that waits for
  PumpLivenessChanged(true) + 250 ms grace, then invokes unlock on the
  UI thread; cancellation on pump change or CAN disconnect via
  _pumpLivenessCts
- UnlockService.UnlockAsync: skip Phase 2 state-machine when observer
  seed already reports unlocked (senders still run to prevent re-lock)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Services/ICanService.cs

@@ -41,6 +41,15 @@ namespace HC_APTBS.Services
         /// <summary>True when the CAN read thread is running and the channel is open.</summary>
         bool IsConnected { get; }
 
+        /// <summary>
+        /// True when pump-ECU frames have been received within the last liveness window.
+        /// Mirrors the last value broadcast via <see cref="PumpLivenessChanged"/>.
+        /// Used by pump-selection flows (e.g. immobilizer unlock) to avoid reading stale
+        /// zero-initialised parameter values before the pump has actually started
+        /// transmitting on the bus.
+        /// </summary>
+        bool IsPumpAlive { get; }
+
         /// <summary>
         /// The PCAN channel handle that will be used on the next <see cref="Connect"/> call.
         /// Defaults to the channel supplied at construction.