Add only trusted projects' bin directory to $PATH

Assuming the binstubs for a project are in the local bin/ directory, you
can even go a step further to add the directory to shell $PATH so that
rspec can be invoked without the bin/ prefix:

    export PATH="./bin:$PATH"

Doing so on a system that other people have write access to
(such as a shared host) is a security risk:

rbenv/rbenv#309

The `.git/safe` convention addresses the security problem:

https://twitter.com/tpope/status/165631968996900865

Put this in `zshenv` because:

http://zsh.sourceforge.net/Intro/intro_3.html

> `.zshenv' is sourced on all invocations of the shell, unless the -f
> option is set. It should contain commands to set the command search
> path.

Load `zshenv.local` config at the end of the file so that users can
extend their `zshenv` needs in their personal dotfiles using `rcup`.

zshenv

@@ -0,0 +1,5 @@
+# mkdir .git/safe in the root of repositories you trust
+export PATH=".git/safe/../../bin:$PATH"
+
+# Local config
+[[ -f ~/.zshenv.local ]] && source ~/.zshenv.local