v0.4.6 — fs trailing-slash fail-open + redaction/net fixes

Fixes from a /code-review pass over the v0.4.4/v0.4.5 security changes — it caught a fail-open in the fs primitive those releases were meant to harden.

Security

• fs deny/scope entries with a trailing slash no longer mishandle the directory node. deny: ["/etc/secret/"] previously did not deny read /etc/secret (fail-open; children were denied), and writeScope: ["/app/data/"] wrongly denied a write to /app/data (fail-closed). within() now strips a trailing slash before both the exact-match and prefix checks, and special-cases root.
• secrets redaction masks every occurrence on a line. redact() used String.replace, which only masks the first match for a non-global pattern (/sk-[a-z0-9]+/) — leaking the 2nd+ secret. Since v0.4.5 routes every audit line through redact(), this undercut the audit-safety guarantee. Patterns are now forced global.
• net.denyPrivateIps defense-in-depth: IPv4-compatible IPv6 (::a.b.c.d) is decoded like the mapped form, and the local range now covers deprecated site-local fec0::/10. Public addresses unaffected.

Tests

Suite 100 → 106 (test/security-review-followup.test.js), green on ubuntu/macos/windows × Node 20/22.

Full notes in CHANGELOG.