add OpenSSF Scorecard and cargo-audit

[iicky]

• Add OpenSSF Scorecard workflow (runs on main push + weekly, publishes SARIF results)
• Add cargo-audit to lint job for RustSec advisory checking alongside cargo-deny
• Add 5 fuzz targets: vault parsing, .env parsing, merge logic, recipient parsing, recovery
• Add symlink rejection on all write paths (.env, key files, .envrc, .gitattributes)
• Add Known Limitations section to SECURITY.md
• Soften absolute claims in README ("safe to commit" → "designed to be committed", etc)
• Fix BIP39 key derivation docs (direct Bech32 encoding, not SHA-256)
• Fix "no custom cryptography" → "age for encryption, documented BLAKE3 integrity layer"
• Surface revocation caveat in README offboarding section
• Soften GitHub Actions log masking claim

[codecov]

Codecov Report

❌ Patch coverage is 75.86207% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 51.50%. Comparing base (0133ad3) to head (aa90f0d).
⚠️ Report is 8 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/merge.rs	0.00%	4 Missing ⚠️
src/env.rs	62.50%	3 Missing ⚠️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.