feat(cli): add Sigstore/SLSA provenance verification to Rust self-update

Replace custom SHA-256 checksum approach with Sigstore provenance verification
using the sigstore-verification crate. Leverages the SLSA attestations from
actions/attest-build-provenance added in aaif-goose#7097 and builds on the native Rust
self-update foundation from aaif-goose#7148.

Changes:
- Add verify_provenance() that fetches and verifies GitHub attestation bundles
  via the sigstore-verification crate (Sigstore signature chain, Rekor
  transparency log, artifact digest match)
- Harden tar.bz2 extraction against tar-slip (reject absolute paths and ..
  components, create parent dirs per-entry)
- Harden zip extraction against zip-slip (use enclosed_name() sanitization,
  iterate entries individually)
- Add sha256_hex() helper for archive digest computation and display
- Remove all .sha256 file download/verify logic and CI workflow changes
- 16 unit tests covering SHA-256 digests, path validation (safe paths,
  absolute path rejection, traversal rejection, nested traversal), tar
  extraction round-trip, binary location, binary replacement, and provenance
  verification graceful degradation

Signed-off-by: fre$h <fre5h3nough@gmail.com>
Signed-off-by: fre <anonwurcod@proton.me>

Author: fresh3nough