ouroboros-ai: Incomplete denylist in CVE-2026-47211 fix allows RCE via env vars and cwd auto-load

In CVE-2026-47211 fix, several execution-routing environment variables were omitted from the denylist, enabling RCE through malicious .env or cwd-based MCP config auto-load. Fixed in 0.42.1 by adding all omitted keys to _UNTRUSTED_ENV_DENYLIST and removing the cwd auto-discovery branch.

All users of ouroboros-ai prior to 0.42.1 who run the tool from untrusted or cloned repositories.

Upgrade to version 0.42.1 immediately. Do not run Ouroboros from an untrusted repository directory; remove any project-directory .env and ./.ouroboros/mcp_servers.yaml before running.