chore(deny): ignore RUSTSEC-2026-0105 (core2 yanked, transitive via bitstream-io)

[noahgift]

Summary

cargo deny check advisories started failing on every PR (and on main) 2026-05-22 with a new advisory:

error[unmaintained]: core2 is unmaintained, all versions yanked
├ ID: RUSTSEC-2026-0105
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0105

The dep is pulled in transitively via bitstream-io (image/media decoding stack — cargo tree shows bitstream-io v4.9.0 → core2 v0.4.0). No first-party use; no drop-in replacement until upstream bitstream-io migrates off core2.

Why this PR is urgent

This commit unblocks the in-flight PR cascade:

• fix(version): build.rs resolves worktree HEAD via git rev-parse --git-dir (closes #1862) #1867 fix(version) build.rs worktree HEAD
• fix(export): apr export no longer panics on missing num_layers (closes #1865) #1868 fix(export) num_layers panic
• fix(validate): gate --quality threshold on implemented checks (closes #1866) #1870 fix(validate) quality threshold
• chore(readme): fix drift (1134→1148, 82→103) + apr serve example syntax #1873 chore(readme) drift fix
• feat(qwen-story): 8-beat E2E narrative + pmat bug-hunt + daily cron #1875 feat(qwen-story)
• fix(wgpu-parity): multi-step gate catches 7B Q4K autoregressive drift (#1864 wgpu) #1876 fix(wgpu-parity) multi-step gate

All 6 failed CI's ci / lint step on this single advisory.

Verification

$ cargo deny check advisories
... (warnings about previously-ignored advisories that no longer match — pre-existing) ...
advisories ok

Test plan

• cargo deny check advisories exits 0 locally
• Diff is a single 3-line addition; no other config changed
• CI: ci / lint, workspace-test

🤖 Generated with Claude Code