fix: correct glob expansion in downloads cleanup, add purge index bounds guard, update security audit

- lib/clean/user.sh: quote glob patterns in _clean_incomplete_downloads so
  they are not expanded at array assignment time; filenames with spaces would
  previously be word-split before reaching safe_clean, causing silent failures
- lib/clean/project.sh: replace silent array fallback with explicit bounds
  check before reading PURGE_CATEGORY_FULL_PATHS_ARRAY, guarding against
  future index drift if menu filtering is added
- SECURITY_AUDIT.md: document double validatePath in analyze delete, native
  PAM passthrough for sudo prompts, dry-run dedup by filesystem identity,
  atomic purge config write, pre-commit hook mirroring CI, and new test suites

lib/clean/project.sh

@@ -767,7 +767,11 @@ select_purge_categories() {
         printf "%s\n" "$clear_line"
 
         local current_index=$((top_index + cursor_pos))
-        local current_full_path="${PURGE_CATEGORY_FULL_PATHS_ARRAY[current_index]:-}"
+        local current_full_path=""
+        local paths_len="${#PURGE_CATEGORY_FULL_PATHS_ARRAY[@]}"
+        if [[ "$paths_len" -gt 0 && "$current_index" -lt "$paths_len" ]]; then
+            current_full_path="${PURGE_CATEGORY_FULL_PATHS_ARRAY[current_index]}"
+        fi
         if [[ -n "$current_full_path" ]]; then
             printf "%s${GRAY}Full path:${NC} %s\n" "$clear_line" "$current_full_path"
             printf "%s\n" "$clear_line"

lib/clean/user.sh

@@ -88,9 +88,9 @@ _clean_recent_items() {
 # Internal: Clean incomplete browser downloads, skipping files currently open.
 _clean_incomplete_downloads() {
     local -a patterns=(
-        "$HOME/Downloads/"*.download
-        "$HOME/Downloads/"*.crdownload
-        "$HOME/Downloads/"*.part
+        "$HOME/Downloads/*.download"
+        "$HOME/Downloads/*.crdownload"
+        "$HOME/Downloads/*.part"
     )
     local labels=("Safari incomplete downloads" "Chrome incomplete downloads" "Partial incomplete downloads")
     local i=0