fix(npm): verify release archive checksums

[saurabhhhcodes]

Summary

• fetch checksums.txt from the matching GitHub release during npm postinstall
• verify the downloaded platform archive with SHA-256 before extraction
• delete unverified archives and fail loudly when the checksum is missing or mismatched
• add focused Node tests for checksum parsing, successful verification, mismatch cleanup, and missing checksum handling

Fixes #28

Validation

• npm run test:npm
• git diff --check
• GOFLAGS=-mod=mod make test

Note: plain make test currently stops before tests with the repo's existing vendor/modules.txt mismatch; rerunning with GOFLAGS=-mod=mod follows Go's suggested workaround and the full suite passes.

[github-actions]

First PR — welcome aboard!

A few things to expect:

1. CI: every PR runs build + race tests + lint on Ubuntu and macOS. If something fails, the log will tell you exactly which gate.
2. DCO: every commit needs Signed-off-by:. git commit -s adds it automatically.
3. Conventional Commits: PR titles like feat(analyze): new rule or fix(cli): handle X. We squash-merge by default.
4. Review: a maintainer will review within 72 hours. Suggestions are conversations, not orders — push back if something doesn't fit your context.

If you get stuck, reply here or jump to Discussions. We want this PR to land.

[saurabhhhcodes]

All checks are green now and the branch is clean. If this contribution is eligible for GSSoC scoring, could you please add the appropriate gssoc:approved, difficulty, and type labels during review? The issue is #28 and the change is scoped to npm release archive verification.