**Deferred to follow-up commits** (in order):
1. Switch single `EncryptorBE32` for manual STREAM nonces (preparation for parallelism)
2. `secrets` crate for key handling + `rlimit` to disable core dumps
3. Atomic file output (`.tmp` + rename)
4. `argon2id` KDF + passphrase prompt + CLI flags
5. Multi-threaded pipeline (worker pool + ordered writer)
6. Length-committed mode + random-access decrypt fast path for files