v0.2.1 - security review fixes

Bug-fix release addressing findings from a code review of v0.2.0. No breaking changes.

Critical fixes

• kpxc denylists subcommands with non-standard arg shapes (db-create, import, open, close, merge). v0.2.0 would silently reorder arguments — kpxc import source.xml dest.kdbx could overwrite source.xml with the contents of the user's unlocked database.
• kpxc denylists mutating -p flags (add -p, edit -p, db-edit -p, db-edit --set-password). v0.2.0 would silently consume EOF on the prompt for the new password and create entries with empty passwords.

Security fixes

• All four scripts refuse to source a config file unless owned by the current user with no group/world write bits. Prevents code injection via a writable ~/.config/kpxc/config.
• README config example now sets chmod 600.

Other fixes

• README env-var names corrected from KPXC_* to KP_* (was a copy-paste from before the v0.2.0 rename).
• kpxc / kpget no longer remove the cache on TTL miss (race with concurrent kpunlock).
• kpxc passes through --help / -h for any subcommand without DB injection.
• kpunlock writes cache with trailing newline (defensive).
• kpget surfaces keepassxc-cli's actual error instead of a generic "cache stale" hint.
• kplock got set -euo pipefail for consistency.
• CI shellcheck severity bumped from warning to style.

Tests

Test suite grew from 15 to 28 tests covering all denylist cases, config permission rejection, and --help passthrough.