v0.3.2

Tooling-only release. No engine, C ABI, or storage-trait changes — the published libengine.so and engine.h are identical to v0.3.1. ENGINE_ABI_VERSION (3) and STORAGE_TRAIT_VERSION (2) are unchanged.

Added

• Dependabot (#42) — weekly grouped dependency updates for cargo, the Bun npm client, and pinned github-actions.
• CodeQL code scanning (#42) — semantic SAST for rust + javascript-typescript (security-extended queries), wired in as a required merge check on main.

Changed

• GitHub Actions bumped (#43) — actions/checkout v4→v7, setup-python v5→v6, codeql-action v3→v4, and the Pages actions, via the first Dependabot group PR.
• GitHub Pages custom-domain CNAME added.

Security posture

This release lands alongside repo-level hardening (not in the tree): secret scanning + push protection, Dependabot alerts & security updates, private vulnerability reporting, and a "Protect main" branch ruleset requiring PR review + the full CI gate before merge.

Artifacts

• libengine-v0.3.2-linux-x64.so — release build of the embeddable engine (Linux x64)
• engine-v0.3.2.h — the frozen C ABI header