fix(security): harden shell scripts - fix sed portability, curl HTTPS enforcement, token expiry (#1917)

- MEDIUM: Validate flyctl auth status before empty FLY_API_TOKEN fallback
  in provision.sh (fail fast instead of silent failure)
- LOW: Fix sed -i portability in qa.sh (use sed -i.bak for macOS compat)
- LOW: Increase FLY_API_TOKEN expiry from 2h to 8h in common.sh
- LOW: Add --proto '=https' to all curl -L calls in digitalocean scripts
  (6 files) to prevent HTTP downgrade on redirects

Fixes #1913

Agent: code-health

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

sh/e2e/lib/common.sh

@@ -83,7 +83,7 @@ require_env() {
   # Check / generate FLY_API_TOKEN
   if [ -z "${FLY_API_TOKEN:-}" ]; then
     log_info "FLY_API_TOKEN not set, generating via flyctl..."
-    FLY_API_TOKEN=$(flyctl tokens create org personal --expiry 2h 2>/dev/null || true)
+    FLY_API_TOKEN=$(flyctl tokens create org personal --expiry 8h 2>/dev/null || true)
     if [ -z "${FLY_API_TOKEN:-}" ]; then
       log_warn "Could not generate token. Falling back to flyctl stored credentials."
       # Validate flyctl is authenticated
@@ -93,7 +93,7 @@ require_env() {
       fi
     else
       export FLY_API_TOKEN
-      log_ok "Generated FLY_API_TOKEN (expires in 2h)"
+      log_ok "Generated FLY_API_TOKEN (expires in 8h)"
     fi
   fi