nimsodium v0.2.1

Patch hardening pre-release focused on secret key storage.

Highlights:

• Secret key types now use libsodium secure heap allocation instead of GC-managed string storage.
• Secure key memory is locked with sodium_mlock, protected read-only after initialization, and released with sodium_free.
• Default encryption, authentication, signing, KDF, stream, and key-exchange paths avoid internal rawBytes key export.
• Temporary password/KDF-derived key strings are zeroed after wrapping.
• rawBytes remains available as an explicit key export operation.

This is still a pre-release before v1.0; API names and stored formats may still change.