security/pdfrip: Update to 3.0.0

Changes since 2.0.1:

PDFRip v3.0.0 is a trust/performance/compatibility release focused on
making
pdfrip more correct, measurable, and useful on real password-cracking
workloads.

Highlights

Prepared verifier hot path

• Password attempts no longer rebuild general PDF parsing/storage state on every try
• The release extracts the security envelope once, prepares a direct verifier once, and reuses it across attempts
• Verified against deterministic qpdf fixtures for Standard Security Handler revisions R2 through R6

Better compatibility coverage

The fixture and verifier matrix now covers:

• R2 / R3 / R4 RC4
• R4 AES-128
• R5 / R6 AES-256
• Unicode R5 / R6 passwords
• Blank user passwords
• Object streams and xref streams
• Linearized PDFs
• EncryptMetadata=false

Exact progress and resume

• Progress is now based on verified attempts, not merely queued work
• Historical "100%, ETA 0s, but still running" behavior is fixed
• Checkpoint/resume is now a first-class workflow with exact verified-prefix recovery

New and improved search workflows

• New mask mode for bounded structured passwords
• New contains-word mode for "known substring + brute-force the rest" workflows
• Date --format now supports custom shapes
• Custom-query now supports literal-only queries and fixes bugs
• Numeric ranges are inclusive and sized exactly
• Default-query now enumerates printable ASCII correctly and can test blank passwords

Better UX and reporting

• Success output distinguishes user vs owner passwords when revision allows it
• Blank passwords render explicitly as ""
• Structured JSON output available with --json
• Malformed inputs return normal user-facing errors instead of panics
• Documentation matches measured reality and current workflows

New opt-in fast mode

• --user-password-only skips owner-password checks for document-opening password workflows
• Can reduce end-to-end time on R5/R6 workloads

Measured improvements

Representative local measurements on Apple M3 Pro showed:
* Synthetic R5 prepared verifier: 15.5x lower latency than legacy path
* Large bundled R3 example: 4.5x lower latency
* 10,000-candidate mask exhaustion: 3.4x faster at 4 workers vs 1
  worker
* User-password-only speedups: 1.31x-2.77x faster depending on
  revision

Build and release hardening

• Exact dependency pinning for sensitive direct crates
• Tracked Cargo.lock with --locked CI/release flows
• CI coverage on Linux/macOS/Windows for stable + nightly
• Cargo install smoke testing
• Benchmark-harness build coverage
• PDF fixtures marked binary-safe across platforms