sec(install): validate redirect URL origin before trusting resolved version

[latenighthackathon]

Summary

• resolve_redirect() follows HTTP redirects to determine the latest release tag but never validated the final URL origin
• A compromised CDN, DNS poisoning, or open redirect could cause the installer to download binaries from an attacker-controlled server
• Added origin validation: resolved URLs must match https://github.com/NVIDIA/OpenShell/* or the installer aborts
• Also capped redirect depth in download() to 5 as defense-in-depth

Test plan

• Run install.sh normally — verify latest version resolves and installs correctly
• Set OPENSHELL_VERSION explicitly — verify resolve_redirect is skipped (existing behavior)
• Test with a mock redirect to a non-GitHub URL — verify the installer aborts with a clear error message

Closes #638

[github-actions]

Thank you for your interest in contributing to OpenShell, @latenighthackathon.

This project uses a vouch system for first-time contributors. Before submitting a pull request, you need to be vouched by a maintainer.

To get vouched:

1. Open a Vouch Request discussion.
2. Describe what you want to change and why.
3. Write in your own words — do not have an AI generate the request.
4. A maintainer will comment /vouch if approved.
5. Once vouched, open a new PR (preferred) or reopen this one after a few minutes.

See CONTRIBUTING.md for details.

[github-actions]

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

---

I have read the DCO document and I hereby sign the DCO.

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.}

[latenighthackathon]

I have read the DCO document and I hereby sign the DCO.

I have read the DCO document and I hereby sign the DCO.

[latenighthackathon]

recheck