security hardening for 0.3.0

[iicky]

• Integrity hash covers scoped entries (sha256v2: prefix, v1 accepted on load)
• Validate key names as shell-safe identifiers on add, import, and export
• Reject vaults with unrecognized major version
• Remove CLI phrase argument from restore (prompt/pipe only)
• Warn when import skips MURK_* configuration keys
• Gate dependabot auto-merge on patch-only updates, pin action SHA
• Rewrite SPEC.md to match v2 format (single JSON, per-value encryption, scoped entries)
• Use git daemon in demo tapes for clean push/pull URLs
• Fix env var test races with Mutex
• Bump to 0.3.0

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 59.42029% with 28 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.74%. Comparing base (a8df5cc) to head (233d4e0).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/main.rs	0.00%	22 Missing ⚠️
src/lib.rs	85.71%	6 Missing ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.