Add automatic update checks for security tools (zizmor, SFW) (#1186)

* feat(updating): add automatic version checks for security tools

Checks for new zizmor and SFW releases, respects pnpm
minimumReleaseAge cooldown for third-party tools, updates
embedded checksums. Also adds Claude Code version sync phase.

* fix(updating): guard incomplete checksums and deduplicate SFW logic

- Add else clause when oldHash is undefined so allFound is set to false,
  preventing version bump with missing checksum entries
- Deduplicate download-and-hash logic in fetchSfwChecksums by computing
  the URL once before the shared try/catch block

* fix(updating): scope checksum replacements to target object

SFW_FREE_CHECKSUMS and SFW_ENTERPRISE_CHECKSUMS share platform keys
(e.g. 'linux-arm64'). Add objectName parameter to replaceChecksumValue
that scopes regex replacement within the target object block, preventing
cross-object mismatches.

* fix(updating): add all-found safety check to SFW checksum fetcher

Like the zizmor update path, prevent partial checksum updates when some
SFW asset downloads fail. Return unchanged checksums and changed: false
so the caller does not write an inconsistent state.

Author: jdalton