fix(security): warn when verifying with a broken hash algorithm

[albertodebortoli]

Description

• What & why: Luca lets a tool pin its checksum algorithm, and MD5 and SHA-1 are selectable. Both are collision-broken: an attacker who controls the download can craft a malicious artifact that matches a published MD5/SHA-1 digest, so a "verified" install provides a false sense of integrity.
• Fix: ToolInstaller now emits a danger-styled warning when a tool is verified with MD5 or SHA-1, recommending sha256/sha512. Adds ChecksumAlgorithm.isCryptographicallyWeak to centralise the classification.
• Trade-offs: MD5/SHA-1 remain selectable for compatibility with upstreams that only publish those digests — the change surfaces the risk rather than removing the option, avoiding a breaking change.

Type of Change

• Bug fix
• Feature
• Maintenance / Refactor
• Documentation
• CI / Tooling
• Other (specify)

How Has This Been Tested?

swift build and swift test locally on macOS (arm64).

• Added / updated unit tests
• Manually tested locally (verified a tool with an md5 checksum and confirmed the warning)
• Tested on macOS (arch: arm64)

New test: parameterised isCryptographicallyWeak coverage (md5/sha1 → true, sha256/sha512 → false). Existing checksum-validation tests still pass.

Checklist

• Swift code builds locally (swift build)
• Tests pass locally (swift test)
• Code style / formatting respected
• Documentation updated (DocC comment on the new property)

Breaking Changes?

• No

Additional Notes

Part of a set of independent supply-chain hardening changes; this PR stands alone and can be merged on its own.

[codecov]

Codecov Report

❌ Patch coverage is 90.00000% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...ManagerCore/Core/ToolInstaller/ToolInstaller.swift	75.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!