core/host: userspace version fingerprint (sudo, polkit)

The host fingerprint now captures sudo + polkit versions at startup
so userspace-LPE modules can consult a single source of truth
instead of each popen-ing the relevant binary themselves on every
scan. Pack2theroot already queries PackageKit version via D-Bus
in-module, so PackageKit stays there for now.

core/host.h:
- new fields: char sudo_version[64], char polkit_version[64].
  Empty string when the tool isn't installed or version parse fails;
  modules should treat that as PRECOND_FAIL.
- documented next to has_systemd / has_dbus_system in the struct.

core/host.c:
- new populate_userspace_versions(h) called from
  skeletonkey_host_get() after the other populators.
- capture_first_line() helper runs a command via popen, grabs first
  stdout line, strips newline. Best-effort: failure leaves dst empty.
- extract_version_after_prefix() pulls the version token after a
  fixed prefix string ('Sudo version', 'pkexec version'), handling
  the colon/space variants.
- skeletonkey_host_print_banner() gained a third line when either
  version is non-empty:
    [*] userspace: sudo=1.9.17p2  polkit=-

Module migration (graceful fallback pattern — modules still work
without ctx->host populated):
- sudo_samedit detect: if ctx->host->sudo_version is set, skip the
  popen and synthesize a 'Sudo version <X>' line for the existing
  parser. Falls back to the original find_sudo + popen path if the
  host fingerprint didn't capture a version.
- sudoedit_editor detect: same pattern — host fingerprint sudo_version
  takes precedence over the local get_sudo_version popen.

tests/test_detect.c additions (2 new cases, 33 → 35):
- h_vuln_sudo  fingerprint (sudo_version='1.8.31', kernel 5.15) —
  asserts sudo_samedit reports VULNERABLE via the host-provided
  version string.
- h_fixed_sudo fingerprint (sudo_version='1.9.13p1', kernel 6.12) —
  asserts sudo_samedit reports OK on a patched sudo.

This is the first test pair to cover the *vulnerable* path of a
module rather than just precondition gates — proves the
version-parsing logic itself, not only the short-circuits.

Verification: 35/35 pass on Linux. macOS banner shows
'userspace: sudo=1.9.17p2 polkit=-' as the dev box has Homebrew
sudo but no polkit.

tests/test_detect.c

@@ -55,6 +55,8 @@ extern const struct skeletonkey_module copy_fail_gcm_module;
 extern const struct skeletonkey_module dirty_frag_esp_module;
 extern const struct skeletonkey_module dirty_frag_esp6_module;
 extern const struct skeletonkey_module dirty_frag_rxrpc_module;
+extern const struct skeletonkey_module sudo_samedit_module;
+extern const struct skeletonkey_module sudoedit_editor_module;
 
 static int g_pass = 0;
 static int g_fail = 0;
@@ -136,6 +138,37 @@ static const struct skeletonkey_host h_fedora_no_debian = {
 	.has_systemd        = true,
 };
 
+/* Modern fingerprint with a known-vulnerable sudo (1.8.31 sits in
+ * both the samedit [1.8.2, 1.9.5p1] and sudoedit_editor
+ * [1.8.0, 1.9.12p2) vulnerable ranges). Used to assert the sudo
+ * modules accept the host-fingerprint version string and reach the
+ * VULNERABLE-by-version path. */
+static const struct skeletonkey_host h_vuln_sudo = {
+	.kernel  = { .major = 5, .minor = 15, .patch = 0,
+		     .release = "5.15.0-vulnsudo" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "debian",
+	.is_linux           = true,
+	.is_debian_family   = true,
+	.unprivileged_userns_allowed = true,
+	.sudo_version       = "1.8.31",
+};
+
+/* Modern fingerprint with a fixed sudo (1.9.13p1 is above both
+ * sudo_samedit and sudoedit_editor vulnerable ranges). */
+static const struct skeletonkey_host h_fixed_sudo = {
+	.kernel  = { .major = 6, .minor = 12, .patch = 0,
+		     .release = "6.12.0-fixedsudo" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "debian",
+	.is_linux           = true,
+	.is_debian_family   = true,
+	.unprivileged_userns_allowed = true,
+	.sudo_version       = "1.9.13p1",
+};
+
 /* Ubuntu 24.04, userns allowed, D-Bus running, Debian family
  * (because Ubuntu has /etc/debian_version). Used as the "fragnesia
  * preconditions OK" baseline — fragnesia should NOT short-circuit
@@ -365,6 +398,21 @@ static void run_all(void)
 	run_one("dirty_frag_rxrpc: userns_allowed=false → PRECOND_FAIL",
 		&dirty_frag_rxrpc_module, &h_kernel_5_14_no_userns,
 		SKELETONKEY_PRECOND_FAIL);
+
+	/* ── userspace version fingerprinting (sudo) ─────────────────
+	 * Both sudo modules now consult ctx->host->sudo_version
+	 * populated once at startup. */
+
+	/* sudo_samedit: vulnerable sudo 1.8.31 (range [1.8.2, 1.9.5p1])
+	 * → VULNERABLE by version */
+	run_one("sudo_samedit: sudo_version=1.8.31 → VULNERABLE",
+		&sudo_samedit_module, &h_vuln_sudo,
+		SKELETONKEY_VULNERABLE);
+
+	/* sudo_samedit: fixed sudo 1.9.13p1 (above 1.9.5p1) → OK */
+	run_one("sudo_samedit: sudo_version=1.9.13p1 → OK",
+		&sudo_samedit_module, &h_fixed_sudo,
+		SKELETONKEY_OK);
 #else
 	fprintf(stderr, "[i] non-Linux platform: detect() bodies are stubbed; "
 			"tests skipped (would tautologically pass).\n");