Add SafePickleEncoder with restricted unpickler; deprecate PickleEncoder

[eddieran]

Summary

Fixes #848 — PickleEncoder calls pickle.loads() without restrictions, enabling remote code execution via crafted pickle payloads when an attacker has broker access.

This PR:

• Adds SafePickleEncoder — a drop-in replacement that uses a RestrictedUnpickler subclass, limiting deserialization to a fixed allow-list of safe built-in types (int, str, dict, list, datetime, UUID, Decimal, etc.)
• Supports extension via extra_allowed parameter for projects that need custom types
• Deprecates PickleEncoder — decode() now emits a DeprecationWarning recommending SafePickleEncoder, with removal planned for v3.0.0
• Exports SafePickleEncoder from the top-level dramatiq package

Migration

# Before
import dramatiq
dramatiq.set_encoder(dramatiq.PickleEncoder())

# After
import dramatiq
dramatiq.set_encoder(dramatiq.SafePickleEncoder())

# If you need custom types:
dramatiq.set_encoder(dramatiq.SafePickleEncoder(
    extra_allowed={"mymodule.MyClass"}
))

Test plan

• Roundtrip encode/decode of basic Python types (int, float, str, bytes, list, dict, tuple, set, None, bool)
• Malicious pickle payloads (e.g. os.system) are blocked with DecodeError
• Arbitrary classes not in the allow-list are rejected
• extra_allowed parameter correctly extends the allow-list
• PickleEncoder.decode() emits DeprecationWarning
• Integration test with stub broker and worker
• SafePickleEncoder is importable from dramatiq top-level