chore: prepare v0.3.2 release changelog

fix: update buildRunArgs call in test to include authVolume parameter

fix: update buildRunArgs call in test to include authVolume parameter

chore: windows binary in .gitignore

security: clean up secrets dir on SIGINT/SIGTERM and guard .construct…

…/.env from git

os.Exit bypasses deferred calls, so the signal handler now explicitly
removes the secrets temp dir before exiting. secretsDir is also created
before dind starts so its path is always in scope for the handler.
Adds .construct/.env to .gitignore as a defence against accidental
credential commits.