security: add safetensors validation before unsafe mmap in candle embedding

[bug-ops]

Related to #391

Summary

Unsafe mmap used to load embedding models without runtime validation. While risk is low (files from trusted HF Hub), corruption or malicious repos could expose memory safety issues.

Severity

Low — Requires compromised HF infrastructure or MITM attack.

Location

crates/zeph-llm/src/candle_provider/embed.rs:62-63

// SAFETY: file is a valid safetensors downloaded from hf-hub, not modified during
// VarBuilder lifetime
let vb =
    unsafe { VarBuilder::from_mmaped_safetensors(&[weights_path], DType::F32, device)? };

Recommendation

Add runtime header validation before mmap:

// Validate safetensors header before unsafe mmap
let metadata = safetensors::SafeTensors::read_metadata(&weights_path)
    .map_err(|e| LlmError::ModelLoad(format!("invalid safetensors: {e}")))?;
tracing::debug!("safetensors metadata: {:?}", metadata);

// SAFETY: safetensors header validated, file from trusted HF Hub
let vb = unsafe { VarBuilder::from_mmaped_safetensors(&[weights_path], DType::F32, device)? };

Alternatively, check if candle provides a safe API for this operation.

References

• CWE-119 (Improper Restriction of Operations within Memory Buffer)
• Security audit: .local/audit/security-audit.md (SEC-5)