hardening wave 2: race-safe opens, permission checks, .env deprecation

[iicky]

• Lock file opens use O_NOFOLLOW on Unix (race-safe, no TOCTOU)
• Key file reads reject group/world-readable permissions (mode > 0600)
• New read_secret_file() helper: symlink check + permission check in one path
• Deprecation warning when key is loaded from .env fallback
• Inline MURK_KEY= in .env emits deprecation warning (prefer MURK_KEY_FILE=)
• .env key file references now go through read_secret_file (symlink + perm checks)
• libc added as unix-only dependency for O_NOFOLLOW
• Prefer XDG_RUNTIME_DIR/tmpfs for murk edit tempfiles
• Warn on ssh-rsa key authorization (references RUSTSEC-2023-0071)
• Add CODE_OF_CONDUCT.md, CONTRIBUTING.md, issue templates, PR template

[codecov]

Codecov Report

❌ Patch coverage is 36.84211% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 51.41%. Comparing base (44b15e4) to head (a02f5cf).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/main.rs	0.00%	12 Missing ⚠️
src/env.rs	60.86%	9 Missing ⚠️
src/vault.rs	0.00%	3 Missing ⚠️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.