Hardening pass: MAC schema coverage, shell escaping, test hermeticity, CI expansion

[iicky]

• MAC v4 (blake3v2:) now covers schema (descriptions, examples, tags) — retagging on disk trips integrity verification
• Shell-escape MURK_KEY_FILE path in .env and vault name in .envrc; strip quotes on read in read_key_from_dotenv
• Isolate HOME to temp dir in CLI and adversarial test helpers — all 418 tests pass hermetically
• Fix Python binding clippy errors, expand CI to lint and test with --all-features
• Install script hard-fails without a hash tool, verifies attestation when gh available

[codecov]

Codecov Report

❌ Patch coverage is 98.26087% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.74%. Comparing base (963f4b9) to head (6b04fb1).
⚠️ Report is 20 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/env.rs	97.29%	0 Missing and 1 partial ⚠️
src/lib.rs	98.71%	1 Missing ⚠️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.