fix: correct glob expansion in downloads cleanup, add purge index bounds guard, update security audit

- lib/clean/user.sh: quote glob patterns in _clean_incomplete_downloads so
  they are not expanded at array assignment time; filenames with spaces would
  previously be word-split before reaching safe_clean, causing silent failures
- lib/clean/project.sh: replace silent array fallback with explicit bounds
  check before reading PURGE_CATEGORY_FULL_PATHS_ARRAY, guarding against
  future index drift if menu filtering is added
- SECURITY_AUDIT.md: document double validatePath in analyze delete, native
  PAM passthrough for sudo prompts, dry-run dedup by filesystem identity,
  atomic purge config write, pre-commit hook mirroring CI, and new test suites

lib/clean/user.sh

@@ -88,9 +88,9 @@ _clean_recent_items() {
 # Internal: Clean incomplete browser downloads, skipping files currently open.
 _clean_incomplete_downloads() {
     local -a patterns=(
-        "$HOME/Downloads/"*.download
-        "$HOME/Downloads/"*.crdownload
-        "$HOME/Downloads/"*.part
+        "$HOME/Downloads/*.download"
+        "$HOME/Downloads/*.crdownload"
+        "$HOME/Downloads/*.part"
     )
     local labels=("Safari incomplete downloads" "Chrome incomplete downloads" "Partial incomplete downloads")
     local i=0