Harden util.inspect hiding test with customInspect: false

[Declade]

Problem

The util.inspect hiding test added in PR #6 uses:

const inspected = inspect(client, { showHidden: true, depth: null });
expect(inspected).not.toContain(VALID_KEY);

Today this passes structurally because the TheVeil class does not define a [util.inspect.custom] method. If a future change adds one (deliberately or accidentally) that returns or stringifies the key, this test would not catch it because inspect would call the custom inspector before reaching the structural traversal.

Proposed fix

Pass customInspect: false so the test ignores any custom inspector:

const inspected = inspect(client, {
  showHidden: true,
  depth: null,
  customInspect: false,
});
expect(inspected).not.toContain(VALID_KEY);

This makes the assertion structural rather than dependent on absence-of-shim. Optionally, add a second test that exercises the with-customInspect path so that adding a custom inspector that leaks the key is also caught.

Acceptance

• The util.inspect hiding test passes customInspect: false.
• Optional: a second test defines a [util.inspect.custom] shim that returns the key string and asserts the test fails — i.e. proving the shim path is also covered.

Priority

LOW. Nice-to-have hardening; no defect today.

Surfaced by

Subagent review on PR #6, bug-hunter-reviewer L1 finding.