Carry P2 hardening forward onto v2 main

[jaschadub]

The v2 merge to main carried forward only the attestation/signer/verifier rewrites from the P2 branch — the CLI, adapter, dependency-pin, and Rust API hardenings were lost. This commit restores them.

Python:

• CLI keygen: write .priv with mode 0600 via O_EXCL; parent dir 0700; refuse to clobber existing key (no umask reliance).
• Adapters: LanceDB validates id_column/vector_column/pin_column against ^[A-Za-z_][A-Za-z0-9_]*$ and rejects record_ids with NUL/newline/ backslash. Qdrant + Pinecone refuse api_key over http:// for non- loopback hosts unless VECTORPIN_ALLOW_INSECURE_HTTP=1.
• pyproject.toml: cryptography>=42,<46; numpy>=1.26,<3.

Rust:

• #![forbid(unsafe_code)] on the crate.
• Signer::generate -> Result<Self, SignerError::EmptyKeyId>.
• Signer::private_key_bytes -> Zeroizing<[u8; 32]>.
• vec_dim cast via u32::try_from on signer + verifier sides.
• Verifier::add_key -> Result<(), VerifyError::KeyDecodeFailed>.
• Workspace + crate Cargo.toml: zeroize = "1" as a direct dep.

TypeScript:

• @noble/ed25519 pinned to exact 2.3.0; @noble/hashes to 1.8.0.

Tests added:

• tests/test_cli_keygen_perms.py — verifies 0600 mode under permissive umask and clobber refusal.
• tests/test_signer_from_pem.py — verifies allow_unencrypted opt-in.
• rust/vectorpin/tests/hardening.rs — pins each Rust API change against silent regression (Zeroizing return type, generate Result, add_key Result, non-string extra rejection, trailing-garbage rejection, normal vec_dim round-trip after checked cast).
• typescript/test/attestation.test.ts — strict schema validation, prototype-pollution guards, base64url alphabet, size caps.

All e2e: Python 126, Rust 59 across 6 targets, TypeScript 110. cargo clippy --all-targets -- -D warnings is clean. cargo fmt clean.