Security:
- HTTP timeout 120s (was: no timeout, hangs forever)
- dst.Close() error checked (was: unchecked, corrupted file on Windows)
- io.LimitReader 200MB decompression bomb protection (gosec G110)
- HTTP status code validation (was: no check for 404/500)

Correctness:
- macOS prints DYLD_LIBRARY_PATH (was: LD_LIBRARY_PATH)
- wgpu.Init() searches ./lib/ (auto-setup default location)
- filepath.Abs error handled with fallback

UX:
- Download progress with Content-Length (MB)
- README: WGPU_NATIVE_PATH instructions after setup

Code quality:
- Package doc comment for nativelib
- errcheck nolint directives with reasons
- SHA256 TODO for future checksum verification

Tests:
- Download() with httptest (happy path + 404 + network error)
- FindLibrary() with env var + lib/ dir search