deps: update starlark to 0.14.2

[bolinfest]

Why

codex-rs was still pinned to starlark 0.13.0. Upstream has released starlark 0.14.2 with the security-related updates that motivated this bump, so this keeps execpolicy on the current release and refreshes the advisory configuration against the dependency graph Cargo now resolves.

The lockfile churn is larger than a simple four-crate version bump. In 0.14.x, upstream starlark moved several internals forward, including parser dependencies and the pagable path. I set default-features = false on starlark, but starlark 0.14.2 has an empty default feature set and pagable is not feature-gated in the published crate, so this does not shrink the current graph. It does keep future default-feature expansion from changing our graph implicitly.

What Changed

• Bumped the workspace starlark dependency from 0.13.0 to 0.14.2 and refreshed Cargo.lock.
• Kept the Cargo.toml diff minimal: the workspace dependency ordering is unchanged, and only the starlark line changes.
• Set default-features = false on starlark; this is defensive only because upstream default features are currently empty.
• Updated MODULE.bazel.lock after the Cargo dependency change.
• Updated deny.toml and .cargo/audit.toml so ignored advisories match the new graph:
  • existing derivative, fxhash, and paste exceptions still apply through starlark/related dependencies;
  • atomic-polyfill is now documented through the pagable/postcard/heapless path;
  • the stale instant exception is gone because it is no longer encountered with the 0.14.2 graph.
• Adjusted codex-execpolicy and codex-execpolicy-legacy for starlark 0.14 API changes:
  • use Module::with_temp_heap instead of the removed Module::new;
  • update legacy AllocValue impls for the new Heap<'v> argument shape.

Lockfile Notes

• The starlark crate family moves from 0.13.0 to 0.14.2.
• Parser-related dependencies move off the old lalrpop/ena stack and onto the newer logos 0.15 path.
• pagable 0.4.1 is now introduced by upstream starlark and accounts for new serialization/storage-adjacent crates such as postcard, heapless 0.7, atomic-polyfill, and blake3. sled and rusqlite are not present in the current 0.14.2 graph.
• allocative moves to 0.3.6 and now brings in ctor 1.0.6. The lockfile still also contains the existing ctor 0.6.3 used by other Codex dependencies, so reviewers will see two ctor versions.

Verification

• cargo deny check advisories
• just bazel-lock-check
• just test -p codex-execpolicy -p codex-execpolicy-legacy
• cargo check -p codex-tui

[bolinfest]

Note I'm going to wait for 0.14.1 because I expect it will be a bit slimmer.