fix: eliminate unsafe code via nix, command-fds, and thread-local cookie

Replace 4 unsafe sites with safe wrappers:

- libc::pipe2 → nix::unistd::pipe2 (safe OwnedFd return)
- File::from_raw_fd → File::from(OwnedFd) (safe ownership transfer)
- unsafe impl Send for SendCookie → thread_local! lazy Cookie
  (each thread gets its own independent Cookie, no Send needed)
- pre_exec + libc::fcntl → command-fds crate fd_mappings()
  (handles CLOEXEC clearing safely, also fixes potential fd leak
  on spawn failure via OwnedFd RAII)

Only libc::umask remains as a single unavoidable unsafe site
(no safe Rust wrapper exists for the umask syscall).

Also updates AGENTS.md to remove stale SendCookie exception.

Cargo.lock

@@ -488,6 +488,16 @@ dependencies = [
  "unicode-width",
 ]
 
+[[package]]
+name = "command-fds"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f849b92c694fe237ecd8fafd1ba0df7ae0d45c1df6daeb7f68ed4220d51640bd"
+dependencies = [
+ "nix",
+ "thiserror 2.0.18",
+]
+
 [[package]]
 name = "config"
 version = "0.15.21"
@@ -1660,6 +1670,7 @@ dependencies = [
  "clap",
  "clap_complete",
  "comfy-table",
+ "command-fds",
  "config",
  "ctor",
  "derive_more",