feat: add sfw shims and checksum validation

[John-David Dalton (jdalton)]

Summary

• Shims: Creates shim scripts for supported package managers (npm, pnpm, yarn, pip, pip3, uv, cargo, plus enterprise-only bundler, gem, nuget, go) so commands like npm install are automatically routed through sfw — no explicit sfw prefix needed. Handles both bash and .cmd shims on Windows. Can be disabled with shims: 'false'. Exports SFW_SHIM_DIR so publish workflows can temporarily disable shims.
• Hardcoded version + checksum validation: Pins sfw binaries to v1.6.1 with SHA256 checksums embedded per platform/edition. Downloaded binaries are validated against these hardcoded hashes before caching — no separate .sha256 file download. Users can override with firewall-version but get a warning that checksum validation may fail for non-pinned versions.
• MSYS path normalization: Converts MSYS-style paths (/c/Users/...) to native Windows paths (C:\Users\...) so sfw and PowerShell resolve binaries correctly on Windows runners.
• Sorted inputs: Alphabetized inputs in action.yml and src/main.js.
• Updated README: Documents shims, checksum validation, supported ecosystems (free vs enterprise), and how to bypass shims for publishing.

Test plan

• Test firewall-free mode with shims enabled — verify npm install routes through sfw
• Test firewall-enterprise mode with socket-token
• Test checksum validation passes for a valid binary download
• Test shims: 'false' still requires explicit sfw prefix
• Test on Linux x64 and macOS arm64 runners
• Test Windows .cmd shim scripts work in cmd.exe and PowerShell
• Test MSYS path normalization on Windows runners