fix(core): drain provider pipes while waiting for timeout

[JSONbored]

Motivation

• The provider runner waited for the child process to exit before reading piped stdout/stderr, which can deadlock when a provider emits more data than the OS pipe buffer and causes findings to be lost.
• This behavior converts a timed-out or killed provider into a low-severity provider_execution_failed signal, allowing explicitly enabled providers to be silently bypassed by large outputs.
• The intent of the change is to ensure provider output is drained while the child runs so caps and timeouts behave as intended and provider findings are not suppressed.

Description

• Drain stdout and stderr concurrently by spawning reader threads that read_to_end (with take-based caps) immediately after spawning the provider, and join those threads after wait_timeout returns.
• Preserve existing output-cap behavior and timeout handling, returning the same capped error when stdout exceeds the configured cap or the provider times out.
• Add use std::thread; and update the provider contract test to invoke /bin/sleep under an isolated PATH and to include the actual error text in the assertion message.
• Modified files: crates/nightward-core/src/providers.rs and crates/nightward-core/tests/provider_contracts.rs.

Testing

• Ran cargo test -p nightward-core, which executes the unit tests and provider_contracts test suite.
• The provider_contracts tests (including provider_timeout_returns_stable_warning_error and provider_stdout_cap_fails_closed_before_parsing) passed after the changes.
• All core tests completed with no failures in the final run.
• The change preserves existing caps and timeout semantics verified by the updated tests using the isolated provider stubs.

---

Codex Task

[JSONbored]

Closing as superseded by #40, which merged the provider execution hardening along with the consolidated security fixes. This branch also has a failing DCO check, so keeping it open would only add noise.

[JSONbored]

Superseded by #40.