v0.9.32 — Security fixes, Rust 1.95.0

Security fixes

• manage_memories.forget empty-key wipe (critical): empty/whitespace key previously made fk.contains(&key_lower) true for every fact, and the cross-category sweep then deleted across all categories. Now rejects empty/whitespace/<2-char keys; cross-category sweep restricted to exact/canonical matches.
• Terminal chained-command session approval leakage (high): approving curl … | python3 … no longer stores curl/python3 as session binary prefixes that would auto-allow arbitrary future chains. Chained approvals store the full command for exact-match only; the per-segment check no longer consults session approvals.
• terminal and read_channel_history moved to untrusted in is_trusted_tool. Their output is now wrapped before reaching the LLM, closing a prompt-injection path via curl output and Slack history from other users.
• edit_file blocks sensitive paths (~/.ssh, *.env, ~/.gnupg, ~/.aws) matching write_file.
• run_command allowlist tightened: removed cargo run, cargo bench, npm run, npx, yarn run, bun run, make, cmake, gradle, mvn, go generate — all execute arbitrary repo-defined or network-downloaded code.

Regression tests added for every fix.

Toolchain & dependencies

• Rust 1.94.0 → 1.95.0
• ~90 SemVer-compatible crate bumps via cargo update (tokio 1.52.3, hyper 1.9.0, rustls 0.23.40, uuid 1.23.1, indexmap 2.14.0, proptest 1.11.0, wasm-bindgen 0.2.121, etc.)
• Incompatible majors deferred: keyring 4 (Entry moved to keyring-core, requires explicit store init), reqwest 0.13 (RequestBuilder methods now behind features), rand 0.10 (thread_rng/OsRng API changes), sha1/sha2/hmac/hkdf 0.11/0.13 (Mac trait reworked). These require migrations and are tracked for a follow-up release.

Full Changelog: v0.9.31...v0.9.32