ci: declare least-privilege permissions on the deepnsm-wired workflows

Addresses CodeRabbit review on #479: style.yml and rust-test.yml had no
explicit `permissions:` block, so they inherited the repo-default token
scope. These jobs only checkout, build, lint, and test — declare
`contents: read` so GITHUB_TOKEN is least-privilege. Codecov upload uses
its own token secret and is non-fatal (fail_ci_if_error: false).

Also re-triggers CI: the prior run's `test (stable)` failed on a transient
rust-lld SIGBUS (signal 7) while linking lance-graph's datafusion test
binaries — intermittent linker memory-pressure flake, unrelated to deepnsm
(the same code linked fine in test-with-coverage; deepnsm fmt+clippy gates
already passed).

https://claude.ai/code/session_014A4JuRCqKP2yNENrQ9Ha7H

Author: claude

.github/workflows/rust-test.yml

@@ -20,6 +20,11 @@ env:
   RUST_BACKTRACE: "1"
   CARGO_INCREMENTAL: "0"
 
+# Least-privilege: these jobs only read the repo (checkout + build + test).
+# Codecov upload uses its own token secret and is non-fatal (fail_ci_if_error: false).
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-24.04

.github/workflows/style.yml

@@ -18,6 +18,10 @@ env:
   CARGO_TERM_COLOR: always
   RUSTFLAGS: "-C debuginfo=1 -C target-cpu=x86-64-v3"
 
+# Least-privilege: these jobs only read the repo (checkout + build + lint).
+permissions:
+  contents: read
+
 jobs:
   # Clippy runs FIRST and is mandatory — logical soundness before syntax.
   # Discipline: