feat: finalize v0.3.0 — security hardening, TUI fix, perf improvements

[jonathanmagambo]

Security:

• Replace plain string hash compare with constant-time aws_lc_rs::pbkdf2::verify()
• Derive cursor signing key via HKDF-SHA256 (proper domain separation from password)
• Suppress password echo in prompts using rpassword crate
• Early-return 401 on malformed user records (empty hash/salt) in login handler
• Reject blank usernames in create_user to avoid empty-key storage

Bug fixes:

• TUI fetch_collection: add Accept: application/json header so server returns parseable JSON instead of defaulting to msgpack (TUI was silently getting no data)
• Collapse nested if-let chains in save_editor to fix clippy::collapsible_if

Performance:

• Add gzip CompressionLayer to Axum router via tower-http (automatic for clients that send Accept-Encoding: gzip; 60-70% size reduction on large paginated lists)

Cleanup:

• Remove orphaned crates/query/src/temp_test.rs scratch file
• Update writer.rs batch comment to document N-txn-per-collection invariant
• Update query crate lib.rs doc to reflect v0.3 status (Cedar RLS + join query)

Version bumps: all 9 crates 0.2.0 → 0.3.0
forge-types, forge-security, forge-storage, forge-protocol, forge-query, forge-auth, forge-server, forge-cli, forge-bin