Harden plugin runtime: TLS verify, LSP deadlock, path traversal, ABI exception safety (W14)

W14 addresses the five most critical findings from the W13 plugin audits:

- W14.1 network: enable ssl::verify_peer + SSL_set1_host SNI hostname
  verification (fixes TLS bypass, W13.3 CVSS 7.4); add steady_timer DNS
  timeout and bottom-up catch(...) hardening (engineer-zhou)
- W14.2 lsp: fix reader_loop/stop mutex deadlock via stop_nolock/stop_locked
  split (W13.4); wrap 11 vtable/entry functions in try/catch with cv
  notification on reader exit (engineer-sun)
- W14.3 tools: add is_safe_path() rejecting empty/absolute/.. paths before
  file_io calls (fixes path traversal, W13.5 CVSS 7.5); guard g_tools and
  g_session/g_history under mutex; 9 vtable try/catch (security-cao)
- W14.4 host: add fallback plugin search (../plugins/) so binaries run from
  build/tests/ load current DLLs, resolving the W13.6 R2 stale-DLL false
  alarm (architect-lin)
- W14.5 anthropic+deepseek: wrap 12 ABI boundary functions in try/catch with
  log-guard, preventing exceptions from crossing the C ABI (engineer-chen)

Verified: cmake build 0 error 0 warning, ctest 4/4 pass, smoke R2 now
passes naturally.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

dstalk-core/src/host.cpp

@@ -188,7 +188,12 @@ DSTALK_API int dstalk_init(const char* config_path)
         // 扫描插件目录
         const char* plugin_dir = g_config->get("plugin_dir");
         if (!plugin_dir) plugin_dir = "plugins";
-        load_plugins_from_directory(plugin_dir);
+        int loaded = load_plugins_from_directory(plugin_dir);
+        if (loaded <= 0) {
+            host_log(DSTALK_LOG_WARN,
+                "No plugins found in '%s', trying '../plugins'", plugin_dir);
+            loaded = load_plugins_from_directory("../plugins");
+        }
 
         // 初始化所有插件
         if (g_plugin_loader->initialize_all(&g_host_api) != 0) {