Harden npm installer: checksum verification, HTTPS-only redirects, no shell injection

- Add SHA256 checksum verification against checksums.txt (was missing,
  all other installers had it)
- Validate URL scheme on every redirect hop (HTTPS-only, max 5 redirects)
- Replace execSync string interpolation with execFileSync array args
  (eliminates shell injection vector)
- Add path traversal check on extracted binary (tar-slip defense)