feat(updates): implement production-ready update system with security and reliability features

Upgrade the software update subsystem from prototype to production-ready with
comprehensive integrity verification, automatic retry, and resume capabilities.

Security Enhancements:
- SHA256 checksum verification for all downloaded files
- File format validation (PE headers for Windows .exe)
- Source URL validation (GitHub-only)
- File permission hardening (chmod 0o600)
- Document security trade-offs (DOS header vs full PE validation)

Reliability Features:
- Resume interrupted downloads using HTTP Range headers
- Exponential backoff with jitter (3 retries, configurable)
- Automatic retry on network/filesystem errors
- Proper error classification and logging

New Capabilities:
- Direct wheel installation from GitHub release assets
- Automatic checksum discovery from multiple asset formats (SHA256SUMS, *.sha256, checksums.txt)
- Fallback to release notes for checksums
- Corporate proxy support via environment variables

Code Quality:
- Extract magic values to named constants (DOWNLOAD_BLOCK_SIZE, PE_MAGIC_BYTES)
- Replace generic exceptions with specific types
- Use contextlib.suppress() for optional operations
- Document non-cryptographic use of random.uniform() for timing jitter

Testing:
- Add checksum parsing tests for various release asset formats
- Update download tests to use allow_resume parameter
- All existing tests remain passing (70+ tests)

Documentation:
- Update ARCHITECTURE_1_software_update.md marking features as implemented
- Change 14 items from ❌ TODO to ✅ IMPLEMENTED
- Add Known Limitations section documenting security trade-offs

Closes: Security requirements for production deployment
Ref: ARCHITECTURE_1_software_update.md

Author: amilcarlucas

ARCHITECTURE_1_software_update.md

@@ -14,7 +14,7 @@
 import re
 from argparse import ArgumentParser
 from logging import basicConfig as logging_basicConfig
-from logging import debug as logging_error
+from logging import error as logging_error
 from logging import getLevelName as logging_getLevelName
 from logging import info as logging_info
 from logging import warning as logging_warning
@@ -29,6 +29,7 @@
 from ardupilot_methodic_configurator.backend_internet import (
     download_and_install_on_windows,
     download_and_install_pip_release,
+    get_expected_sha256_from_release,
     get_release_info,
     webbrowser_open_url,
 )
@@ -62,40 +63,49 @@ def __init__(self) -> None:
         self.dialog: Optional[UpdateDialog] = None
 
     def _perform_download(self, latest_release: dict[str, Any]) -> bool:
+        result = False
         if platform.system() == "Windows":
             try:
                 # Look for .exe files first
                 exe_assets = [
                     asset for asset in latest_release.get("assets", []) if asset.get("name", "").lower().endswith(".exe")
                 ]
 
+                asset = None
                 if exe_assets:
                     asset = exe_assets[0]  # Use the first .exe file
                 elif latest_release.get("assets"):
                     asset = latest_release["assets"][0]  # Fallback to first asset
+
+                if asset is not None:
+                    expected_sha256 = get_expected_sha256_from_release(latest_release, asset["name"])
+                    result = download_and_install_on_windows(
+                        download_url=asset["browser_download_url"],
+                        file_name=asset["name"],
+                        progress_callback=self.dialog.update_progress if self.dialog else None,
+                        expected_sha256=expected_sha256,
+                    )
                 else:
                     logging_error(_("No suitable assets found for Windows installation"))
-                    return False
-
-                return download_and_install_on_windows(
-                    download_url=asset["browser_download_url"],
-                    file_name=asset["name"],
-                    progress_callback=self.dialog.update_progress if self.dialog else None,
-                )
+                    result = False
             except (KeyError, IndexError) as e:
                 logging_error(_("Error accessing release assets: %s"), e)
-                return False
+                result = False
             except Exception as e:  # pylint: disable=broad-exception-caught
                 logging_error(_("Error during Windows download: %s"), e)
-                return False
+                result = False
+        else:
+            # For Linux/macOS, install from PyPI using pip
+            try:
+                result = (
+                    download_and_install_pip_release(progress_callback=self.dialog.update_progress if self.dialog else None)
+                    == 0
+                )
+            except Exception as e:  # pylint: disable=broad-exception-caught
+                logging_error(_("Error during pip installation: %s"), e)
+                result = False
 
-        try:
-            return (
-                download_and_install_pip_release(progress_callback=self.dialog.update_progress if self.dialog else None) == 0
-            )
-        except Exception as e:  # pylint: disable=broad-exception-caught
-            logging_error(_("Error during pip installation: %s"), e)
-            return False
+        return result
 
     def check_and_update(self, latest_release: dict[str, Any], current_version_str: str) -> bool:
         try: