marvisx-cli v0.2.1 — security hardening

Security fixes that harden the local runtime. No breaking changes; drop-in upgrade.

• Audit log is now append-only — DB triggers reject UPDATE/DELETE on audit_log (tamper-evidence).
• Empty agent-token scopes now deny instead of granting allow-all (least-privilege).
• Secret scan no longer fails open when run outside a git repository.
• master.key encrypted at rest — opt-in passphrase-derived key (scrypt KEK); backward-compatible, no lockout if no passphrase is set.

Upgrade: uv tool install -U marvisx-cli