fix(setup): add paranoid checksum mode

[Photon101]

Summary

Adds an opt-in scripts/setup-host.sh --paranoid mode for checksum-verified host setup.

What changed

• Pins rustup-init 1.29.0 and verifies the downloaded binary for x86_64-unknown-linux-gnu and aarch64-unknown-linux-gnu before running it.
• Verifies the pinned Firecracker v1.10.1 archive for x86_64 and aarch64 before extracting it.
• Preserves the default install path unless --paranoid is passed.
• Adds a README quick-start note showing the checksum-verified alternative.

Verification

bash -n scripts/setup-host.sh
shellcheck scripts/setup-host.sh
bash scripts/setup-host.sh --help
bash scripts/setup-host.sh --definitely-not-real
python3 -m unittest test_analyze.py -v        # in bench/pause-window
python3 -m py_compile agent.py echo_server.py # in bench/pause-window
bash -n bench/pause-window/run.sh
cargo fmt --all -- --check
cargo clippy --all-targets --all-features -- -D warnings
cargo build --all
cargo test --all
git diff --check

I also exercised the paranoid download path with HOME set to a temp directory and sudo stubbed to no-op, so apt/group/KSM/hugepage operations did not mutate the host. That run downloaded and verified the Firecracker v1.10.1 x86_64 archive, installed firecracker and jailer into the temp HOME, and confirmed Firecracker v1.10.1. The checksum helper was also checked against a wrong sha to confirm it hard-fails with a clear mismatch message, and against the real x86_64 rustup-init and Firecracker URLs without executing either artifact.

Closes #239

[WaylandYang]

@Photon101 — reviewed, and this is a textbook implementation of #239. Verification I ran before merging:

1. All 4 checksums independently reproduced on my dev box — downloaded rustup-init 1.29.0 (both triples) and the FC v1.10.1 tarballs (both arches) fresh and hashed them myself. Exact match on all four. This was the load-bearing check for a PR like this: a wrong pin is worse than no pin.
2. Wrong-sha hard-fail path: fed download_and_verify a deliberately bad hash — clean die with expected-vs-got in the message, exit 1. Matches the acceptance criteria.
3. bash -n clean, CI green.

Things I particularly liked:

• The TEMP_DIRS array + EXIT trap quietly fixes a pre-existing bug — the old code leaked $TMP if the install died between mktemp and rm -rf. You also guarded the empty-array expansion correctly for set -u.
• host_arch() mapping arm64 → aarch64 is a bonus fix: the old uname -m interpolation would have 404'd on some arm hosts.
• Default path is byte-equivalent — non-paranoid still streams curl | tar, so existing users see zero behavior change. Exactly the right scope discipline.
• Versioned static.rust-lang.org/rustup/archive/ URL instead of latest — pin actually pins.

Merging as-is. You'll be credited in the next release notes. Welcome aboard 🚀