CR-034: Harden repository consistency and secrets hygiene

[coreytshaffer]

Summary

Implements CR-034 to reduce repository consistency drift and harden secret-handling boundaries.

Changes

• Make pyproject.toml canonical and reduce setup.py to a compatibility shim.
• Raise supported Python floor to >=3.10.
• Expand CI to test Python 3.10, 3.11, and 3.12.
• Require Qwen API keys to come from TRIAGE_QWEN_API_KEY, not tracked TOML config.
• Extend persistent privacy invariants to reject secret-bearing keys.
• Sanitize backend HTTP error output instead of printing raw response bodies.
• Add SECURITY.md.
• Add CR-034 documentation and changelog entry.
• Update focused config, privacy invariant, backend, Qwen, and routing tests.
• Ignore .triagecore/identity/ as local runtime identity state.

Validation

text python -m py_compile triage_core\config.py triage_core\privacy_invariants.py triage_core\backends.py python -m py_compile setup.py python -m pytest tests\test_config.py tests\test_privacy_invariants.py tests\test_backends.py tests\test_qwen_backend.py tests\test_qwen_cloud_routing.py -q 37 passed python -m pytest -q 335 passed, 2 skipped, 1 warning git diff --check passed, with only CRLF normalization warnings

Notes

An untracked .triagecore/identity/ directory existed before this pass and was intentionally left untouched. This PR now ignores the whole runtime identity directory so a broad git add . will not stage local identity state.