fix(security): prevent provider timeout pipe hangs

[JSONbored]

Summary

• prevent selected provider timeout handling from blocking on inherited stdout/stderr pipes
• keep concurrent provider output draining and fail-closed cap behavior
• add a Unix regression test for a provider descendant that holds output pipes open

What changed

• provider stream readers now report through channels instead of unbounded join handles
• timeout handling kills and waits for the direct provider process, then returns the timeout error immediately
• normal process exits collect stdout/stderr with a bounded grace period and fail closed if pipes remain open

Why

• a compromised or PATH-shadowed selected provider could spawn a descendant that inherits stdout/stderr and defeat NIGHTWARD_PROVIDER_TIMEOUT_MS

Validation

• cargo test -p nightward-core provider_timeout
• cargo test -p nightward-core provider_large_stdout_is_drained_until_cap_error
• cargo test -p nightward-core
• cargo test -p nightward-cli
• make test-security
• make verify
• trunk check --show-existing --fix --all
• trunk check --show-existing --all
• Codex Security diff scan: no new reportable findings
• real CLI reproduction with PATH-shadowed gitleaks returned under the configured provider timeout

Notes

• patch release v0.1.8 should be tagged after merge because v0.1.7 contains this provider timeout regression