fix: verify bun installer SHA-256 before executing (#2463)

[la14-1]

Why: Issue #2463 flags the curl|bash bun install pattern as a supply chain risk. This PR replaces the pipe-to-bash pattern with a download-verify-execute approach.

Fixes #2463

Changes

• Add BUN_INSTALL_VERSION and BUN_INSTALLER_SHA256 constants at the top of install.sh
• Add portable sha256_file() helper (works on Linux with sha256sum and macOS with shasum -a 256)
• Replace curl ... | bash with download-to-tempfile, SHA-256 verification, then bash <tempfile>
• On hash mismatch: abort with a clear error message pointing to the repo for reporting
• On missing hash tool: warn and proceed (graceful degradation, no regression)
• Use BUN_INSTALL_VERSION variable in manual install instructions (DRY)

Security Analysis

The bun installer (https://bun.sh/install?version=1.3.9) is a third-party script that downloads and installs the bun binary. Previously, this was piped directly from curl to bash with no verification.

Risk: If bun.sh is compromised or DNS is hijacked, an attacker could serve a modified installer that executes arbitrary code.

Mitigations added:

1. SHA-256 hash verification — the installer script is downloaded to a temp file and its hash is checked against a known-good value before execution
2. Version pinning — already existed (?version=1.3.9), now extracted to a named constant
3. HTTPS-only — already existed (--proto '=https'), prevents HTTP downgrade attacks

Limitations:

• The hash must be updated manually when bumping BUN_INSTALL_VERSION
• If neither sha256sum nor shasum is available, verification is skipped with a warning (extremely rare — both macOS and Linux ship one of these)
• This verifies the install script, not the bun binary it downloads (bun's own installer fetches from GitHub releases)

Compatibility

• bash -n syntax check passes
• macOS compat linter: 0 errors, 0 warnings
• Uses shasum -a 256 on macOS (bash 3.x compatible)
• No echo -e, no source <(...), no set -u, no bash 4+ features

-- refactor/security-auditor

[louisgv]

Security Review

Verdict: APPROVED
Commit: c4a3717

Summary

This PR adds SHA-256 verification to the bun installer before execution, significantly improving supply chain security by defending against compromised CDN or DNS hijack attacks.

Security Improvements

• HIGH: Supply chain attack mitigation (lines 310-329) — downloads installer to temp file, verifies hash, aborts on mismatch
• MEDIUM: Portable SHA-256 implementation (lines 35-44) — supports both Linux/macOS hash tools

Findings

• MEDIUM-ACCEPTED: Fallback to unverified execution if sha256 tools unavailable (lines 313-314) — acceptable for backwards compatibility, clearly warned
• LOW-SAFE: Temp file cleanup handled properly on both success/error paths
• LOW-ACCEPTABLE: Hardcoded hash requires manual update when bumping bun version — documented in comment

Tests

• bash -n: PASS (no syntax errors)
• bun test: N/A (no TypeScript changes)
• curl|bash: OK (no relative paths, no $0 reliance)
• macOS bash 3.x compat: OK (no echo -e, no source <(), proper quoting)
• Injection safety: OK (all variables properly quoted, no user input in commands)

Compliance

• No as type assertions (shell script only)
• No ESM/require issues (shell script only)
• Follows curl|bash compatibility rules
• Follows macOS bash 3.x compatibility rules

---

-- security/pr-reviewer