[PLUGINS] Add deterministic plugin checksum/signature verification in CI

[utksh1]

Problem

SecuScan needs a production-grade improvement in this area: Plugin integrity automation..

Scope

Fail CI when plugin metadata checksum/signature is stale, provide a focused error message, and document the refresh/sign commands.

Acceptance Criteria

• The implementation is focused and does not introduce unrelated UI, docs, lockfile, or formatting churn.
• Security-sensitive behavior has explicit negative tests where applicable.
• Existing tests continue to pass, and new tests cover the main success and failure paths.
• Documentation or configuration examples are updated when operator behavior changes.

Verification

CI tests should fail on a deliberately modified plugin fixture and pass after refresh.

Difficulty

Hard, useful issue intended for experienced contributors.

[SaumyaT-21]

Hello @utksh1 ! I'm a GSSoC '26 contributor. This issue looks challenging but I'd like to take a try at it. I’m interested in hardening the project's integrity automation and am ready to dive into the research needed for deterministic verification. I've already been working on the project's testing suite and would love to build out this CI check. It might take some time but I'm ready to learn so if possible, please assign this to me.

[aaniya22]

Please assign this issue to me under Gssoc'26

[SaumyaT-21]

Thanks @utksh1 ! The formatting and hygiene fixes for #107 are now fully resolved and passing.
I’ll be diving into this issue next. Since this involves some newer, more advanced concepts for me, I expect a bit of a learning curve as I work through the implementation details. I’m eager to tackle the challenge and will make sure to keep you updated with my progress along the way!