Add checksum validation infrastructure for tool downloads

[WilliamBerryiii]

Summary

Implements checksum validation infrastructure for secure tool downloads, replacing the step-security/harden-runner action with more targeted security controls.

Note: This PR should be merged after #100 (devcontainer gitleaks checksum verification) is complete.

Changes

Workflow Security

• Remove step-security/harden-runner from 9 workflow files (audit-only, no security value)
• Add npm-audit job to PR validation for dependency vulnerability scanning
• Remove harden-runner SHA mapping from Update-ActionSHAPinning.ps1

Checksum Validation Infrastructure

• Add tool-checksums.json manifest for tracking tool versions and SHA256 checksums
• Add Get-ToolStaleness function to detect when tools have newer versions
• Add shell-downloads ecosystem to dependency pinning scanner
• Add Test-ShellDownloadSecurity function to detect unverified downloads in shell scripts
• Add Get-VerifiedDownload.ps1 helper for verified artifact downloads

Documentation

• Update .github/workflows/README.md to remove references to harden-runner

Relationship to #100

PR #100 adds checksum verification to the devcontainer gitleaks download with a hardcoded SHA. This PR adds the infrastructure to:

1. Track tool versions centrally in tool-checksums.json
2. Detect when tracked tools become stale
3. Scan for unverified downloads in shell scripts

After both PRs merge, a follow-up can update on-create.sh to read the SHA from the manifest instead of hardcoding it.

Testing

• npm run lint:ps - All PowerShell scripts pass PSScriptAnalyzer
• npm run lint:md - All markdown files pass linting