Replace 4 unsafe sites with safe wrappers:
- libc::pipe2 → nix::unistd::pipe2 (safe OwnedFd return)
- File::from_raw_fd → File::from(OwnedFd) (safe ownership transfer)
- unsafe impl Send for SendCookie → thread_local! lazy Cookie
(each thread gets its own independent Cookie, no Send needed)
- pre_exec + libc::fcntl → command-fds crate fd_mappings()
(handles CLOEXEC clearing safely, also fixes potential fd leak
on spawn failure via OwnedFd RAII)
Only libc::umask remains as a single unavoidable unsafe site
(no safe Rust wrapper exists for the umask syscall).
Also updates AGENTS.md to remove stale SendCookie exception.
Andrew Phillips
0af74000d2