Provide versioned, checksummed release binaries

[saitota]

install-standalone.sh has the following issues from the perspectives of dependency pinning and supply chain security.

From install-standalone.sh:

URL=https://$AUTIFY_S3_BUCKET.s3.amazonaws.com/$AUTIFY_S3_PREFIX-$OS-$ARCH.$TAR_EXT
curl "$URL" | tar "$TAR_ARGS"

1. The URL does not include a version, so the same CI configuration can install a different binary depending on when it runs. It cannot be pinned via a lockfile.
2. There is no checksum or signature verification. The script pipes curl directly into tar, so tampering with the distribution source cannot be detected.
3. The curl | sudo bash pattern leaves no path for users to inspect the content locally before executing it. If the distributed bash uploader were tampered with — as in the Codecov incident (2021), where CI environment variables were leaked — users would have no way to defend themselves.

Proposal

Per-platform binaries are already produced as $OS-$ARCH.tar.xz, so it would be a significant improvement to additionally publish:

• Stable URLs that include the version (e.g. …/v0.73.1/autify-darwin-arm64.tar.xz)
• SHA256 checksum files
• Ideally, binaries attached to GitHub Releases

This would enable version pinning via mise/asdf, user-side tamper verification, and installation in rootless environments (Dev Containers, CI containers, etc.).