Add curl|bash installer + wire upload into publish script

scripts/install.sh is the one-command installer end users run as

  curl -fsSL https://releases.thaloco.com/banger/install.sh | bash

Design choices:

* Runs as the invoking user. All network work + signature verification
  happens unprivileged; sudo is only re-execed for the actual install
  step that writes to /usr/local and creates systemd units.
* Right before the sudo prompt, the script prints a plain-language
  summary of exactly what's about to happen — the file paths it will
  create and a one-line "why sudo" — so the user authorises a known
  scope rather than the whole pipeline. Detail link in the docs.
* Uses openssl (universally available) for signature verification, not
  cosign. cosign is needed only by the *signer*, never the verifier.
* No jq dependency. The latest_stable field is extracted from the
  manifest with grep+sed, since the manifest shape is well-defined and
  we control it.
* /dev/tty fallback for the confirmation prompt so it works through
  the curl|bash pipe.
* --yes for non-interactive CI use, --user for installing into
  ~/.local/bin without touching system paths, --version vX.Y.Z to pin.

publish-banger-release.sh now uploads install.sh to the bucket root
on every publish, so the curl URL is stable but the script logic
matches the latest verified release. It also runs a key-drift check:
if scripts/install.sh's embedded cosign public key differs from the
one in internal/updater/verify_signature.go, publishing aborts. The
two copies must stay in sync or one of them ends up rejecting every
release.

README's Quick start now leads with the installer one-liner and
documents the audit-first variant alongside it; building from source
moves below.

Smoke-tested end to end against the live bucket with --user mode:
manifest fetch → tarball download → cosign signature verify → hash
verify → extract → install. The installed binary reports v0.1.0 at
commit 6fdebd9, matching the published artifact.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/publish-banger-release.sh

@@ -155,6 +155,19 @@ cosign verify-blob \
     --signature "$OUT_DIR/SHA256SUMS.sig" \
     "$OUT_DIR/SHA256SUMS"
 
+# install.sh embeds its own copy of the public key for end-user
+# verification (curl|bash trust path). Make sure the two copies didn't
+# drift; a release with mismatched keys would either reject all
+# `banger update` calls or all `install.sh | bash` runs.
+log "checking install.sh embedded key matches verify_signature.go"
+INSTALL_PUB="$OUT_DIR/install-script-pubkey.pem"
+sed -n "/-----BEGIN PUBLIC KEY-----/,/-----END PUBLIC KEY-----/p" \
+    "$REPO_ROOT/scripts/install.sh" \
+  | sed -E "s/.*(-----BEGIN PUBLIC KEY-----)/\\1/; s/(-----END PUBLIC KEY-----).*/\\1/" \
+  > "$INSTALL_PUB"
+diff -q "$EMBEDDED_PUB" "$INSTALL_PUB" >/dev/null \
+    || die "scripts/install.sh embedded key differs from internal/updater/verify_signature.go; sync them before publishing"
+
 # Build the manifest. Pull the existing manifest from the bucket so
 # we don't lose previous release entries, append this one, bump
 # latest_stable, write back.
@@ -206,6 +219,15 @@ rclone copy "$OUT_DIR/SHA256SUMS.sig"  "$RCLONE_DEST_BASE/$VERSION/"
 log "uploading manifest"
 rclone copy "$NEW_MANIFEST" "$RCLONE_DEST_BASE/"
 
+# install.sh lives at the bucket root (unversioned) so the
+# `curl ... install.sh | bash` URL stays stable across releases. The
+# script reads manifest.json to find the current latest_stable, so as
+# long as install.sh's logic doesn't break, it keeps working for older
+# releases too.
+log "uploading install.sh"
+rclone copy "$REPO_ROOT/scripts/install.sh" "$RCLONE_DEST_BASE/"
+
 log "done. verify with:"
 log "  curl -fsSL $BASE_URL/$BUCKET_PATH/manifest.json | jq ."
+log "  curl -fsSL $BASE_URL/$BUCKET_PATH/install.sh | head -20"
 log "  banger update --check"