Feature Request: Force SOFA cache refresh when requiredMinimumOSVersion > Latest.ProductVersion

[manicmachine]

Nudge can incorrectly label an update as not having Actively Exploited CVEs when an Admin pushes a new config out before the local SOFA cache gets updated with the latest release. While this can be mitigated by configuring refreshSOFAFeedTime to refresh more frequently, that unnecessarily adds load to the feed when we only need 1 out of cycle refresh.

To improve this situation, I propose Nudge forces a sync of the local SOFA cache if it detects that the requiredMinimumOSVersion is greater than the Latest.ProductVersion available in the cache. This way, we can keep the scheduled sync at a less frequent rate but be confident that updates to requiredMinimumOSVersion will accurately reflect its CVE status.

A potential issue with this solution would be that a misconfigured requiredMinimumOSVersion (say, an admin accidentally sets it to macOS 15.41 instead of 15.4.1) would cause Nudge to sync the SOFA cache upon each run. One potential solution to this would be to write some metadata to ~/Library/Application\ Support/com.github.macadmins.Nudge to track if a out-of-band sync had already been performed for a given requiredMinimumOSVersion.