fix: eliminate unsafe code via nix, command-fds, and thread-local cookie

Replace 4 unsafe sites with safe wrappers:

- libc::pipe2 → nix::unistd::pipe2 (safe OwnedFd return)
- File::from_raw_fd → File::from(OwnedFd) (safe ownership transfer)
- unsafe impl Send for SendCookie → thread_local! lazy Cookie
  (each thread gets its own independent Cookie, no Send needed)
- pre_exec + libc::fcntl → command-fds crate fd_mappings()
  (handles CLOEXEC clearing safely, also fixes potential fd leak
  on spawn failure via OwnedFd RAII)

Only libc::umask remains as a single unavoidable unsafe site
(no safe Rust wrapper exists for the umask syscall).

Also updates AGENTS.md to remove stale SendCookie exception.

Cargo.toml

@@ -19,6 +19,7 @@ base64 = "0.22"
 chrono = { version = "0.4", features = ["serde"] }
 clap = { version = "4.6", features = ["derive", "env"] }
 clap_complete = "4"
+command-fds = "0.3"
 config = "0.15"
 ctor = "0.2"
 directories = "6.0"
@@ -39,7 +40,7 @@ local-ip-address = "0.6"
 log = "0.4"
 lz4_flex = { version = "0.12", optional = true }
 magic = { version = "0.13", optional = true }
-nix = "0.30"
+nix = { version = "0.30", features = ["fs", "process"] }
 once_cell = "1.21"
 comfy-table = "7.2"
 pwhash = "1.0"