setup-host.sh: optional --paranoid mode — rustup-init binary + sha256 verify

[WaylandYang]

Follow-up to #236 (thanks @jelloee for the original report — tagging you in case you want to take this one; zero pressure).

Context

#237 documented why the curl-pipe-sh rustup install is acceptable for the default path: rust-toolchain.toml pins the compiler forkd actually builds with, so the rustup binary itself is low-stakes. But the comment also promised a future opt-in hardened path.

Proposal

scripts/setup-host.sh --paranoid:

1. Download the rustup-init binary for the host triple from https://static.rust-lang.org/rustup/archive/<version>/<triple>/rustup-init (versioned URL, not latest)
2. Verify against a sha256 pinned in the script for the pinned rustup version
3. Run ./rustup-init -y instead of curl-pipe-sh
4. Same treatment for the Firecracker tarball download a few lines below (it already pins FC_VERSION but doesn't verify a checksum — FC publishes SHASUMS per release)

Default behavior unchanged — --paranoid is opt-in, so the sha256-staleness tradeoff discussed in #236 only bites people who asked for it.

Acceptance

• setup-host.sh --paranoid works on a clean Ubuntu 22.04/24.04 host
• Wrong sha256 → hard fail with a clear message
• README one-liner under the install section mentioning the flag