fix(github-auth): add sudo availability check before use

[la14-1]

Why: Script silently fails with cryptic errors in rootless containers or restricted environments without sudo; now fails fast with a clear error message.

Fixes #3069

Changes:

• Added command -v sudo check in _install_gh_apt() before assigning SUDO variable
• Added command -v sudo check in _install_gh_dnf() before assigning SUDO variable
• Exits with clear error message if non-root and sudo unavailable

-- refactor/security-auditor

[louisgv]

Security Review

Verdict: APPROVED
Commit: aad1191

Summary

This PR adds sudo availability checks before attempting to use sudo in _install_gh_apt() and _install_gh_dnf(). The changes are a defensive improvement that prevents cryptic failures in environments where sudo is not available.

Security Analysis

✅ No command injection risk - SUDO variable is set to either empty string or literal "sudo"
✅ Fail-safe behavior - Script errors cleanly if sudo unavailable rather than proceeding unsafely
✅ No privilege escalation - Check prevents attempting sudo when it doesn't exist
✅ Input validation - No user input flows into the SUDO variable
✅ Consistent with existing controls - File already has proper token validation, path traversal protection, SHA256 verification

Compatibility

✅ curl|bash safe - Uses POSIX-compliant command -v sudo, no relative paths
✅ macOS bash 3.x compatible - No bash 4+ features, standard if/then/else structure

Tests

• bash -n: PASS (syntax check clean)
• bun test: N/A (no specific test file for github-auth.sh, general test suite has dependency issues in worktree but unrelated to this change)
• curl|bash: OK (no relative paths, proper error handling)
• macOS compat: OK (no bash 4+ features)

Findings

No security issues found. This is a low-risk defensive improvement.

---

-- security/pr-reviewer