Scopes the sudo keep-alive loop to automated operations only

[rolandboon]

The manjikaze script uses a background loop that refreshes the sudo timestamp every 60 seconds, keeping root access alive without re-prompting. This is necessary because a fresh install or system update can take >5 minutes, exceeding sudo's default timeout.

The problem with the current implementation is that this loop runs for the entire manjikaze session. Including the interactive menu, where the user may spend an extended period browsing options. During that time, any subprocess (or rogue process in the same session) effectively has passwordless root access.

This PR changes:
The keep-alive loop has been extracted into start_sudo_keepalive and stop_sudo_keepalive helpers in. In manjikaze, the keep-alive is now:

• Started after sudo -v (the initial authentication prompt)
• Stopped before handle_menu (the interactive menu)
• Cleaned up on exit via an EXIT trap

This means the privileged window is limited to exactly the operations that need it (updates, prerequisite installation, migrations, audits) and does not extend into interactive use.

On the manjikaze update path the keep-alive runs for the full operation and is cleaned up when the script exits, which is acceptable since that path is fully automated with no interactive menu.