test: implement missing glob_fuzz target

[chaliy]

Problem

The threat model (specs/006-threat-model.md) declares a glob_fuzz fuzz target for testing glob/pathname expansion robustness, but it was never implemented. Only parser_fuzz, lexer_fuzz, and arithmetic_fuzz exist in crates/bashkit/fuzz/fuzz_targets/.

Glob expansion has known pathological cases (e.g. TM-DOS-031 — extended glob exponential blowup) that fuzzing could help catch.

Proposed approach

Add fuzz_targets/glob_fuzz.rs that:

• Generates random glob patterns (with *, ?, [...], {...}, extended globs)
• Populates a small VFS with random filenames
• Calls the glob expansion code and verifies it completes within resource limits
• Input constraint: UTF-8, ~512 byte limit (similar to arithmetic_fuzz)

CI integration

Add to the nightly fuzz workflow (fuzz.yml) matrix. If the target takes considerable time to run, keep it nightly-only (don't add to the CI compile check that runs on every PR — though cargo fuzz build should still compile it).

References

• Existing fuzz targets: crates/bashkit/fuzz/fuzz_targets/
• Nightly fuzz workflow: .github/workflows/fuzz.yml
• Related threat: TM-DOS-031 (extended glob exponential blowup)