fix(export): replace unreachable!() with defensive Err on unknown format

The export format match at the write-out site was `_ => unreachable!()`,
supposedly safe because the early-return gate at the top of the function
rejects anything that isn't "json" or "jsonl". That gate works today,
but `unreachable!()` converts any future gate-vs-match drift (case
sensitivity bug, refactor, new format branch added above but not below)
into a user-visible panic through the MCP dispatcher instead of a clean
error response.

Replace with a typed `Err(format!("unsupported export format: {:?}",
other))` so the defence lives at both layers. Same runtime behaviour
for every valid input; strictly safer for any invalid input that would
have slipped through a future refactor.

crates/vestige-mcp/src/tools/maintenance.rs

@@ -459,7 +459,18 @@ pub async fn execute_export(storage: &Arc<Storage>, args: Option<Value>) -> Resu
                 writer.write_all(b"\n").map_err(|e| e.to_string())?;
             }
         }
-        _ => unreachable!(),
+        // Defensive: the `format != "json" && format != "jsonl"` early-return
+        // above should already catch every unsupported format, but that gate is
+        // at the arg-validation layer. If it ever grows a bug (e.g. case
+        // sensitivity drift, a new branch, refactor) we return a clean error
+        // instead of `unreachable!()` — no panic can reach a user via the MCP
+        // dispatcher.
+        other => {
+            return Err(format!(
+                "unsupported export format: {:?}. Expected 'json' or 'jsonl'.",
+                other
+            ));
+        }
     }
     writer.flush().map_err(|e| e.to_string())?;