chore: build hygiene — MSRV job, cache scoping, dep dedup

[pratyush618]

Summary

Three small build-hygiene wins bundled together — all pure config / deps, zero runtime behaviour change.

Cache quota

Cache storage on this repo was at 9.33 GB of 10 GB before this PR. The test matrix was writing 6 fresh caches per commit (3 OSes × 2 Python versions) because every combination had its own key and every run saved.

Fix: Swatinem/rust-cache gets a shared-key across Python versions (pyo3 / abi3 builds don't vary by Python minor) plus save-if: ${{ github.ref == 'refs/heads/main' }} so PRs read the main-branch cache but don't write new ones. New MSRV job uses the same scoping.

Expected steady-state: one authoritative cache per OS, refreshed on each main commit.

MSRV verification

We declare rust-version = "1.75" in [workspace.package] but nothing verified it. New msrv job installs 1.75 via dtolnay/rust-toolchain and runs cargo check --workspace. Uses RUSTUP_TOOLCHAIN=1.75 env override so rust-toolchain.toml (which pins contributors to stable) doesn't take precedence in CI.

RustCrypto dedup

paperjam-core had md-5 = "0.11" while the rest of the crypto stack (digest / block-buffer / sha2 / sha1 / rsa / p256 / ecdsa) sat on 0.10. Result: duplicate block-buffer 0.10 + 0.12, digest 0.10 + 0.11, md-5 0.10 + 0.11 in the dep tree. Pinning md-5 = "0.10" collapses all three duplicates. The md-5 0.10 → 0.11 API change is a no-op for how we use it.

Also drops an unused sha2::digest::Digest as Sha2Digest import that the rebuild flagged.

Test plan

• cargo tree --workspace --duplicates | grep md-5 — no duplicates
• cargo test --workspace — 16 Rust tests pass (4 xlsx + 5 mcp + 7 zip_safety)
• pre-commit run --all-files — every hook passes
• MSRV job on CI — first run will tell us whether 1.75 is actually honest; if a transitive dep needs newer, we either bump the MSRV claim or patch the dep pin