chore(deps): strip phantom deps to close Cargo CVE findings (closes #33) (#41)

## Summary

- Removes the **phantom** `bincode = { version = "1.3", optional = true
}` declaration from the root `Cargo.toml`.
- Removes the dead `fast-serde = ["bincode"]` feature flag and its
mention in `full`.
- Closes RUSTSEC-2025-0141 (`bincode@1.3.3`, advisory: bincode 1.x
maintenance sunset) at the source.

## Phantom verification

```
$ grep -rE 'bincode' --include='*.rs' .
(no matches)
```

The `bincode` crate was never imported in any `.rs` file. The optional
dep + `fast-serde` feature flag were dead scaffold — the comment "10x
faster than JSON" never made it to a call site.

## Advisory closure

```
$ grep -c '^name = "bincode"$' Cargo.lock   # 0
```

RUSTSEC-2025-0141 no longer applies because the affected crate isn't in
the dependency graph.

## Build status

`cargo check --lib` finishes clean (33 pre-existing docs warnings; no
new diagnostics).

`cargo check --bin mobile-ai` shows 4 pre-existing errors in
`src/main.rs` referencing methods (`switch_project`, `clear_history`,
`recent_history`) that don't exist on `Orchestrator`. These reproduce on
`main` without this branch — out of scope for the CVE strip.

Closes #33.

## Test plan

- [x] `grep` confirms no `bincode` references in any `.rs` file
- [x] `cargo check --lib` green locally
- [x] `Cargo.lock` no longer contains `bincode`
- [ ] CI: `cargo-audit` workflow shows RUSTSEC-2025-0141 cleared
- [ ] CI: `rust-ci.yml` green

---

Track E (panic-attack bridge triage) cleanup, Batch B. Owner reviews CI
before merge — auto-merge intentionally left OFF.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath