fix(security): harden output and release verification

[JSONbored]

Summary

• Harden Nightward redaction, report loading, provider execution, npm release verification, npm launcher cache integrity, demo artifact IDs, and Raycast output parity.

What changed

• Expanded core redaction for Basic/Bearer auth, provider tokens, opaque token-like values, sensitive assignments, and sensitive flag forms.
• Restricted package patch hints to safe package identifiers and defensively redacted fix-plan steps/previews.
• Normalized local endpoint detection for URL/text forms, root-dot localhost, private IPs, IPv6 link-local/ULA/loopback, and scoped IPv6.
• Drained provider stdout/stderr concurrently, failed closed on caps/timeouts, and made selected provider execution failures high severity.
• Added bounded regular-file report loading and safe schedule history skipping for oversized/special files.
• Switched npm release verification to real npm global install/bin-link checks.
• Revalidated npm launcher cached binaries from release checksums and rejected non-regular cached executable targets.
• Recomputed scrubbed demo IDs, added a demo ID checker, and added a narrow gitleaks allowlist for synthetic provider fixtures.
• Aligned Raycast redaction tests with the core leaked shapes.

Why

• These changes close the reported secret-disclosure, scanner bypass, local DoS, provider fail-open, npm supply-chain verification, cache-trust, and public demo metadata issues against the current Rust implementation.

Validation

• Codex Security diff pass: no surviving reportable issues after local fixes.
• CodeRabbit initial review raised 2 major issues; both were fixed. Rerun was rate-limited, then waived by operator instruction.
• cargo fmt --all --check
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo test --workspace
• cargo test --doc --workspace
• cargo llvm-cov workspace summary: coverage 100.0% / threshold 83.0%
• cd integrations/raycast && npm ci --ignore-scripts --no-audit && npm test && npm audit --audit-level=moderate && npm run lint && npm run build
• cd packages/npm && npm ci --ignore-scripts --no-audit && npm test && npm audit --audit-level=moderate && npm run pack:dry-run
• bash scripts/test-release-scripts.sh
• node scripts/check-demo-ids.mjs
• trunk check --show-existing --fix --all
• trunk check --show-existing --all
• make test-security
• make verify

Notes

• VitePress build still prints existing Rollup PURE annotation warnings from node_modules/@vueuse/core, but the site build exits successfully.
• This PR does not merge itself.