fix: migrate off unsound serde_yml to serde_norway

serde_yml (RUSTSEC-2025-0068) and its libyml backend
(RUSTSEC-2025-0067) are archived, unsound, and unmaintained with no
patched version. Swap to serde_norway, the maintained serde_yaml fork
on unsafe-libyaml-norway — a drop-in for our from_str / to_string /
Value usage across persistence, undo, and the catalog parser.

Clears both advisories (cargo audit / osv-scanner / grype all clean;
serde_yml + libyml gone from the tree). No behaviour change; full
suite 2151/0/1.

src/friendly/format.rs

@@ -23,7 +23,7 @@ pub struct Catalog {
 
 impl Catalog {
     fn load() -> Self {
-        let value: serde_yml::Value = serde_yml::from_str(EN_US)
+        let value: serde_norway::Value = serde_norway::from_str(EN_US)
             .expect("embedded en-US.yaml must parse (ADR-0019 §8.6 startup check)");
         let mut entries = HashMap::new();
         flatten(&value, String::new(), &mut entries);
@@ -44,12 +44,12 @@ impl Catalog {
 }
 
 fn flatten(
-    value: &serde_yml::Value,
+    value: &serde_norway::Value,
     prefix: String,
     out: &mut HashMap<String, String>,
 ) {
     match value {
-        serde_yml::Value::Mapping(map) => {
+        serde_norway::Value::Mapping(map) => {
             for (k, v) in map {
                 let k_str = k
                     .as_str()
@@ -62,14 +62,14 @@ fn flatten(
                 flatten(v, next, out);
             }
         }
-        serde_yml::Value::String(s) => {
+        serde_norway::Value::String(s) => {
             out.insert(prefix, s.clone());
         }
         // Empty top-level (Null) is fine — an empty catalog
         // loads as no entries. Anything else is a structure
         // error worth panicking over since the catalog is
         // shipped with the binary.
-        serde_yml::Value::Null if prefix.is_empty() => {}
+        serde_norway::Value::Null if prefix.is_empty() => {}
         other => panic!("catalog value at `{prefix}` is not a string: {other:?}"),
     }
 }