feat: add install script with sha256 validation

[Copilot]

Downloads could fail silently when HTTP errors (e.g., 404 pages) were saved as valid binaries. Users then executed HTML content instead of the binary.

Changes

New install.sh script:

• SHA256 checksum verification against checksums.txt from release
• curl -f for fail-fast on HTTP errors (404, 403, etc.)
• File type validation to detect HTML error pages
• AWK-based exact filename matching for checksum extraction (prevents substring collisions)
• Case-insensitive checksum validation (^[a-fA-F0-9]{64}$)
• Secure temp directory handling with mktemp -d -t

Documentation updates:

• README.md: One-line installer with security features
• docs/RELEASE_TEMPLATE.md: Updated installation section for future releases
• docs-site: Documentation site updated

Usage

# One-line installer (recommended)
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo bash

# Manual installation with verification
curl -fL https://github.com/githubnext/gh-aw-firewall/releases/latest/download/awf-linux-x64 -o awf
curl -fL https://github.com/githubnext/gh-aw-firewall/releases/latest/download/checksums.txt -o checksums.txt
sha256sum -c checksums.txt --ignore-missing
chmod +x awf
sudo mv awf /usr/local/bin/

Security

Protects against:

• 404/error pages saved as binaries (original issue)
• Corrupted or tampered downloads
• HTML content masquerading as binaries
• Checksum extraction errors from similar filenames

Original prompt

It seems that the install script downloaded a 404 page and treated as a valid binary.

Add file sha validation in install script.

#107

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Test Coverage Report

Metric	Coverage	Covered/Total
Lines	66.72%	704/1055
Statements	66.88%	725/1084
Functions	70.73%	87/123
Branches	61.53%	232/377

Coverage Thresholds

The project has the following coverage thresholds configured:

• Lines: 38%
• Statements: 38%
• Functions: 35%
• Branches: 30%

---

Coverage report generated by `npm run test:coverage`

[Copilot]

Pull request overview

This PR adds a new installation script with SHA256 checksum validation to address issue #107, where 404 error pages could be downloaded and executed as valid binaries.

Key Changes:

• New install.sh script with comprehensive security features including SHA256 verification, HTTP error detection, and file type validation
• Updated installation documentation across README.md, docs/RELEASE_TEMPLATE.md, and docs-site to promote the new installer
• Added -f flag to curl commands in manual installation instructions for fail-fast behavior on HTTP errors

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
install.sh	New installation script with SHA256 checksum verification, file type validation, and comprehensive error handling
README.md	Updated installation section to recommend the new one-line installer with SHA verification as the primary method
docs/RELEASE_TEMPLATE.md	Added one-line installer section and updated manual installation to include checksum verification steps
docs-site/src/content/docs/index.md	Updated installation instructions to promote the new installer with automatic SHA verification

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.