feat: implement native bundle hash verification on iOS and Android

[exo-doguhan]

loadVerified was implemented in JS: fetch the bundle, call response.arrayBuffer(), hash in TypeScript. On large bundles, Hermes throws a RangeError at the engine level
(uncatchable).

Changes:

• iOS / Android: loadVerifiedFromUrl is now a native method. Download, SHA-256 hash, and constant-time comparison all happen in native code.
• (Android) process restart instead of in-process bridge swap: Unlike iOS (which tears down and recreates the bridge in-process) - (I suspect) due to Android's GC cannot guarantee the old Hermes runtime's native heap is freed before the new one allocates. Running both simultaneously crashes app. The module instead writes the bundle, sets a one-shot flag and restarts via startActivity + killProcess. The host app's ReactNativeHost reads the flag on next launch and serves the cached file.
• (Android) Metro bypass required: RN 0.78 ignores getJSBundleFile() when getUseDeveloperSupport() is true and Metro is reachable. ReactInstanceManager calls DevSupportManager.handleReloadJS() regardless. The host app must return false from getUseDeveloperSupport() when a pending bundle exists.
  • One-shot behaviour: The remote bundle is active for one session only. The next cold start clears the latch and returns to Metro — matching iOS behaviour.
• loadFromBase64 removed.
• README: Android integration section rewritten to document the process-restart approach

Verified: tested end-to-end on iOS and Android by scanning a QR code pointing to a real S3 bundle with a correct SHA-256. Bridge reloaded from the verified file on both
platforms. On Android, confirmed one-shot behaviour: remote bundle active for one session, cold restart returns to Metro.