fix: critical security fixes, cache invalidation & modernization

[notrodans]

1. Security Fixes (Critical)

• Shell Injection: Refactored `mermaid`, `d2`, `gnuplot`, and `plantuml` renderers to pass command arguments as a list of strings to `vim.fn.jobstart`. Previously, arguments were concatenated into a single string, making the plugin vulnerable to shell injection if filenames or options contained malicious characters.
• PlantUML: Removed shell redirection (`>`) entirely, using `vim.fn.rename` for safer file handling.

2. Bug Fixes & Correctness

• Cache Invalidation: Fixed a bug where changing renderer options (e.g., `theme`, `scale`) did not trigger a re-render because the cache hash was based solely on the source code. The hash now includes `vim.inspect(options)`.
• Gnuplot Cache: Fixed a type error where the cache returned a `string` (path) instead of a `table`, causing runtime errors on cache hits.
• Neorg Parsing: Fixed a state leak in `neorg.lua` where `current_language` wasn't reset, causing code blocks without parameters to inherit the language of the previous block.
• Resource Leaks: Added cleanup logic (`vim.fn.delete`) to remove temporary source files after rendering in all renderers.

3. Performance & Modernization

• Event-Driven Rendering: Replaced the inefficient polling loop (timer every 100ms) in `init.lua` and `hover.lua` with a callback-based approach using `on_exit`, reducing idle resource usage.
• Tree-sitter: Replaced deprecated `require("vim.treesitter.query")` calls with the modern `vim.treesitter.query.parse` API."