build: strip Gitea token from pallas patch URLs + add cargo config

Hard rule from Cobb 2026-05-06: zero secrets hardcoded in committed
source. The [patch.crates-io] block had the kayos Gitea PAT embedded
in the URL, which cargo then duplicated into Cargo.lock's source URLs.

Fix:
- Cargo.toml [patch.crates-io] URLs are now tokenless
  (http://192.168.0.5:3001/...)
- Cargo.lock source URLs scrubbed to match
- .cargo/config.toml adds [net] git-fetch-with-cli = true so cargo
  defers to system git for fetches; system git authenticates via
  the user's git credential helper (~/.git-credentials chmod 600).

Operators (devs + crafting-table runner) need a working git credential
helper for the LAN Gitea, configured out-of-band (NOT in this repo).
Pattern: `git config --global credential.helper store` +
`echo http://USER:TOKEN@192.168.0.5:3001 > ~/.git-credentials &&
chmod 600 ~/.git-credentials`. After Cobb rotates the kayos PAT,
update that file on every host that builds aldabra.

.cargo/config.toml

@@ -0,0 +1,8 @@
+# Use system git for fetch (respects ~/.git-credentials and SSH keys),
+# so credentials never get baked into Cargo.lock URLs.
+#
+# Required because the [patch.crates-io] block in Cargo.toml points at
+# the LAN-only Sulkta-Coop/pallas fork. Without this, cargo's internal
+# libgit2 client would prompt for creds and bake them into Cargo.lock.
+[net]
+git-fetch-with-cli = true

Cargo.lock

@@ -1253,7 +1253,7 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 [[package]]
 name = "pallas-addresses"
 version = "0.32.1"
-source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
+source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
 dependencies = [
  "base58",
  "bech32",
@@ -1268,7 +1268,7 @@ dependencies = [
 [[package]]
 name = "pallas-codec"
 version = "0.32.1"
-source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
+source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
 dependencies = [
  "hex",
  "minicbor",
@@ -1279,7 +1279,7 @@ dependencies = [
 [[package]]
 name = "pallas-crypto"
 version = "0.32.1"
-source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
+source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
 dependencies = [
  "cryptoxide",
  "hex",
@@ -1293,7 +1293,7 @@ dependencies = [
 [[package]]
 name = "pallas-primitives"
 version = "0.32.1"
-source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
+source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
 dependencies = [
  "base58",
  "bech32",
@@ -1308,7 +1308,7 @@ dependencies = [
 [[package]]
 name = "pallas-traverse"
 version = "0.32.1"
-source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
+source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
 dependencies = [
  "hex",
  "itertools",
@@ -1324,7 +1324,7 @@ dependencies = [
 [[package]]
 name = "pallas-txbuilder"
 version = "0.32.1"
-source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
+source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
 dependencies = [
  "hex",
  "pallas-addresses",
@@ -1341,7 +1341,7 @@ dependencies = [
 [[package]]
 name = "pallas-wallet"
 version = "0.32.1"
-source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
+source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3"
 dependencies = [
  "bech32",
  "bip39",

Cargo.toml

@@ -101,10 +101,10 @@ rpassword = "7"
 # against the same commit. PR upstream pending; switch back to
 # crates.io once merged.
 [patch.crates-io]
-pallas-codec      = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-crypto     = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-primitives = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-traverse   = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-addresses  = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-wallet     = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-txbuilder  = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-codec      = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-crypto     = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-primitives = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-traverse   = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-addresses  = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-wallet     = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-txbuilder  = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }