fix(ci): use gcc-aarch64-linux-gnu as musl target linker

musl-tools only provides x86_64-native musl-gcc, not aarch64 cross-compiler.
gcc-aarch64-linux-gnu produces aarch64 ELF binaries with glibc; to get
musl instead, we pass CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER so
rustc uses it as the linker driver while still linking against musl libc
(from the rust target's sysroot). This was previously tried with
aarch64-linux-musl-gcc (from musl-tools) which doesn't exist on the runner.

Add User-Agent to crates.io API poll in release workflow

crates.io requires a User-Agent header per their API policy and
returns 403 without one. GitHub Actions runners using bare curl -s
may not send a default User-Agent, causing the wait loop to fail.

chore: bump all package manifests to 0.2.11

chore: bump all package manifests to 0.2.10

fix: SSRF bypass, allowlist_rules enforcement, webhook env hardening …

…(0.2.9)

- Fix IPv4-mapped/compatible/NAT64 IPv6 SSRF bypass in is_forbidden_ip (sheeki03#65)
- Wire allowlist_rules into engine with per-rule suppression + all-URL check (sheeki03#66)
- Block TIRITH_API_KEY and TIRITH_LICENSE from webhook env expansion (sheeki03#67)
- Bump all manifests to 0.2.9
- Add bypass_regression integration tests

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

chore: bump all package manifests to 0.2.8

chore: bump all package manifests to 0.2.7

v0.2.6: Cmd shell tokenizer + tirith setup openclaw

Add Cmd (cmd.exe) shell type to the tokenizer and rule engine so
Windows cmd.exe commands are properly tokenized and analyzed. Add
`tirith setup openclaw` command with a before_tool_call plugin for
OpenClaw's extension system.

Cmd shell type (Part C):
- Cmd variant in ShellType with tokenize_cmd() (^ escape, & separator,
  " only quoting, no single-quote special handling)
- split_raw_words(), has_unquoted_ampersand(), find_inline_bypass()
  updated for Cmd semantics
- normalize_shell_token(), basename_from_normalized() handle Cmd
  caret escaping and backslash paths
- "cmd" added to INTERPRETERS list and tier-1 regex
- Golden fixtures for pipe-to-cmd.exe and safe-ampersand

Setup openclaw (Part B):
- openclaw-tirith-guard.ts plugin using before_tool_call hook with
  execFileSync, TIRITH_BIN/TIRITH_SHELL/TIRITH_FAIL_OPEN env vars
- setup_openclaw() with OPENCLAW_STATE_DIR/CLAWDBOT_STATE_DIR support,
  tilde expansion, and relative path resolution
- "openclaw" added to setup subcommand and clap values

chore: bump all package manifests to 0.2.5

npm (6 packages), homebrew, scoop, AUR, chocolatey, RPM

fix: pin time crate to 0.3.41 for MSRV 1.83 compatibility

time 0.3.47 requires edition 2024 which is not available in Rust 1.83.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>