v0.0.4

Fail-closed update verification

Adds a Verification policy to EngineConfig so consumers can require update artifacts to be verified, instead of the previous best-effort behaviour that silently skipped checks when an input was missing.

• Verification::BestEffort (default) — unchanged, backwards-compatible.
• Off / Checksum / Signature / Strict — opt-in policies.
• Under Signature/Strict, an unverifiable release is rejected at check() (before being surfaced as available) and again at download(). New Error::VerificationRequired.
• A blank sha256/signature is treated as absent (not verified against an empty value), and an empty fetched signature body fails closed.

Refs #1 (PRs #2).