deps: classify #139 fxhash CVE as dev-dep-only + recommended fix `wasmtime = { default-features = false }`

[hyperpolymath]

Refinement to #139

The fxhash@0.2.1 RUSTSEC-2025-0057 advisory IS present in `Cargo.lock`, but the chain is:

```
fxhash@0.2.1
← fxprof-processed-profile (wasmtime profiling support)
← wasmtime@36
```

`wasmtime` is declared in `src/ephapax-cli/Cargo.toml` under `[dev-dependencies]` (used only by `src/ephapax-cli/tests/wasm_e2e.rs` for `Engine` / `Module` / `Store` / `Linker`):

```toml
[dev-dependencies]
wasmtime.workspace = true
```

→ The CVE never ships in production binaries. Dev-only exposure.

Recommended fix (cleanest)

Disable `wasmtime` default features at the workspace dep:

```toml

Cargo.toml, [workspace.dependencies]

wasmtime = { version = "36", default-features = false }
```

This drops the entire `fxprof-processed-profile` chain (and thus `fxhash`). The dev test only needs `runtime` + `cranelift` (core wasmtime); profiling is not used.

Alternative fixes

• `cargo-audit` ignore with rationale comment (`audits/` directory + `audit.toml` workflow) — hides finding rather than removing it
• Swap `wasmtime` for `wasmi` in the integration test — larger but cleaner long-term

Recommend: try the default-features-off approach first; if tests still pass, ship as a follow-up PR.

Discovered: 2026-06-01 CI/CD + deps audit.