v0.2.3 — doctor probe fixes

Maintenance release. Fixes false negatives in pai-anywhere doctor / verify when run under the unprivileged managed account.

Fixed

• Dependency probes read "missing" under the pai account — cmdExists ran sh -lc (a login shell), which reset PATH from /etc/profile (dropping /usr/sbin, /sbin) and could abort entirely when a profile.d snippet used bash syntax under dash, so command -v never ran. git/tailscale/ufw/fail2ban/sudo all read as not-installed. Now a plain sh -c over a PATH augmented with the standard admin directories — doctor/verify reflect reality regardless of the invoking account.
• ufw/fail2ban status warned falsely when unprivileged — ufw status needs root and fail2ban-client ping talks to a root-owned socket, so the probes leaked "ERROR: You need to be root" and misreported a healthy fail2ban as "daemon did not respond". New runPrivileged() elevates via passwordless sudo -n when available, else reports a clean "needs root" INFO instead of a false warning.

CI

• actions/checkout bumped v4 → v7 (Node 20 EOL on GitHub runners); pin-bot stays SHA-pinned.

Full diff: v0.2.2...v0.2.3