v1.2.0-rc1 — opt-in threat intelligence (release candidate)

Release candidate — in testing, not for production. A default scan is unchanged: fully offline and static. This RC is published for testing while it bakes.

Added — opt-in threat intelligence

• VirusTotal & URLhaus lookups, wired in. With enable_threat_intel set and a key supplied (config, or VT_API_KEY/VIRUSTOTAL_API_KEY/URLHAUS_AUTH_KEY), a new networked analyzer checks each declared sha256sums against VirusTotal and each source= URL against abuse.ch/URLhaus, emitting TI-VT-001 / TI-URLHAUS-001 on a malicious verdict.
• Off by default. Only data already public in the PKGBUILD (hashes, source URLs) is ever sent; every lookup fails open so a provider outage never blocks a scan. URLhaus requires the now-mandatory abuse.ch Auth-Key.
• All third-party egress is isolated in one auditable file (crates/aur-scanner-core/src/threat_intel/remote.rs) — HTTPS-only, no-redirect, time-bounded.
• Verdict cache activated. The hardened, MAC-authenticated DiskCache now caches lookups (gated by CacheConfig), and lookups are capped per scan, to respect VirusTotal's 4-request/min public quota.

Credit

The VirusTotal-by-hash approach was contributed by @SuitablyMysterious — the vt_lookup in #9 was the reference implementation.

Full notes: see CHANGELOG.md.