deps: audit + bump mistralrs/candle stack to clear cargo-audit unmaintained warnings

[pacphi]

Follow-up from PR #30.

`cargo audit` on the post-merge `main` reports 6 allowed warnings (no vulnerabilities). All six chain through `mistralrs` / `candle` / `rav1e`:

Advisory	Crate	Status
RUSTSEC-2025-0141	bincode 1.3.3	unmaintained
RUSTSEC-2025-0141	bincode 2.0.1	unmaintained
RUSTSEC-2025-0057	fxhash 0.2.1	unmaintained
RUSTSEC-2025-0119	number_prefix 0.4.0	unmaintained
RUSTSEC-2024-0436	paste 1.0.15	unmaintained
—	core2 0.4.0	yanked

Scope

1. Check for newer `mistralrs` release that drops these transitive deps.
2. Check `candle-*` 0.11+ when it lands — expected to drop `fxhash` and `paste`.
3. If a clean upgrade exists, bump and re-run `cargo audit` — target: zero warnings.
4. If not, keep this issue open and add a `cargo-audit` ignore list entry in `deny.toml` or similar, documented with rationale.

Acceptance

• Either: `cargo audit` reports 0 warnings AND 0 vulnerabilities
• Or: remaining warnings explicitly whitelisted with a note pointing upstream

References

• PR feat: Tier 2 semantic categorization + SONA-enhanced flow detection #30
• `cargo audit` local output: 6 allowed warnings, 0 vulnerabilities