chore: address cargo audit advisories

[dobby-coder]

Summary

Addresses the advisories raised in #159.

Crate	Advisory	Status
lettre 0.11.21 → 0.11.22	RUSTSEC-2026-0141 (critical, CVSS 9.1)	Fixed in this PR
rustls-pemfile 1.0.4	RUSTSEC-2025-0134 (unmaintained, warning)	Out of scope — see below

lettre bump

cargo update -p lettre brings the patched release. The advisory only affects the Boring TLS backend; cryptify uses the default backend, so impact is precautionary. Cargo.toml constraint (lettre = \"0.11.19\") already allows the new version — lockfile-only change.

rustls-pemfile (not fixable here)

The unmaintained rustls-pemfile 1.x is pulled transitively:

rustls-pemfile 1.0.4
└── reqwest 0.11.27
    └── irma 0.2.1
        ├── pg-core 0.6.0 → cryptify
        └── cryptify (direct: irma = \"0.2.1\")

cryptify cannot eliminate this without an upstream bump in irma (currently pinned to reqwest 0.11). Tracking is appropriate at the postguard / irma level, not here. After this PR merges, #159 can be closed — the actionable item for cryptify is done.

Verification

• cargo audit — vulnerability gone, only the upstream rustls-pemfile warning remains
• cargo build --release — clean
• cargo test — 87 passed, 0 failed
• cargo fmt --all -- --check — clean
• cargo clippy --all-targets — clean

Reviewer quickstart

```
git fetch origin && git checkout chore/cargo-audit-159 && cargo build --release && cargo test
```

Closes #159

[dobby-coder]

Self-authored PR so cannot formally approve, but verified locally and the change is good:

• cargo audit — RUSTSEC-2026-0141 (lettre) gone; only the unfixable transitive rustls-pemfile warning via irma → reqwest remains, matching the PR description.
• Diff is Cargo.lock-only. lettre bumped 0.11.21 → 0.11.22; other transitive deltas are incidental from the update resolution.
• CI green on all required checks.

Ready to merge from this agent's side.