chore: sync core lib and CLAUDE.md from agent-core

[avifenesh]

Automated sync of lib/ and CLAUDE.md from agent-core.

---

Note

Medium Risk
Touches the runtime binary download/install path, adding checksum verification and new extraction logic (including a custom PowerShell zip extractor), which could cause install failures or platform-specific regressions if release assets or archive layouts differ.

Overview
Hardens the agent-analyzer runtime installer against supply-chain and archive-extraction attacks. Downloads now require a matching .sha256 sidecar (with an explicit local-dev-only skipChecksum escape hatch) and abort on mismatch before any extraction.

Extraction is reworked to use an isolated scratch directory with pre-validation of archive entry paths (rejecting absolute/UNC/drive-letter paths and .. traversal), post-extraction checks for symlinks/escape, and only the expected binary is copied into ~/.agent-sh/bin while all other extracted content is discarded. On Windows, zip handling switches from Expand-Archive command strings to a -File PowerShell helper script that validates entries and avoids quoting/space issues.

Adds a comprehensive node:test suite for checksum parsing/verification, path validation, scratch cleanup, and basic tar/zip extraction behavior, and exports several helper functions for testing/advanced use.

^{Reviewed by Cursor Bugbot for commit 647deaf. Configure here.}