fail CI on secret-handling mistakes the linters miss

[iicky]

• fail CI when library code reads MURK_KEY outside the env module, writes a secret to stdout, or ships a dbg!
• add tests/invariants.rs scanning src for these rules, and deny clippy's dbg_macro in Cargo.toml
• route murk init key discovery through env::key_from_env_only so the key env vars are read in one auditable place

[codecov]

Codecov Report

❌ Patch coverage is 81.25000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.52%. Comparing base (b395422) to head (82cdc76).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/env.rs	86.66%	0 Missing and 2 partials ⚠️
src/init.rs	0.00%	0 Missing and 1 partial ⚠️

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.