fix: LS cleanup uses sudo -u for same-UID kill, prevent double kill

scripts/mitm-redirect.sh

@@ -60,9 +60,11 @@ install() {
     cat > "$SUDOERS_FILE" <<EOF
 # Allow $REAL_USER to run commands as $LS_USER (for antigravity proxy)
 $REAL_USER ALL=($LS_USER) NOPASSWD: ALL
+# Allow $REAL_USER to kill $LS_USER's processes (for clean shutdown)
+$REAL_USER ALL=(root) NOPASSWD: /usr/bin/kill -TERM *, /usr/bin/kill -KILL *, /usr/bin/pkill -TERM -u $LS_USER *, /usr/bin/pkill -KILL -u $LS_USER *
 EOF
     chmod 440 "$SUDOERS_FILE"
-    echo "  + sudoers: $REAL_USER can run as $LS_USER"
+    echo "  + sudoers: $REAL_USER can run as $LS_USER + kill $LS_USER processes"
 
     # ── 4. iptables REDIRECT (scoped to UID) ────────────────────────────
     # Remove existing rule first (idempotent)