CI: npm OIDC trusted publishing workflow

[AgentSeal]

Summary

• Adds .github/workflows/publish-npm.yml which publishes codeburn to npm on v* tag push (or manual workflow_dispatch), using npm OIDC trusted publishing.
• No NPM_TOKEN stored in repo secrets. OIDC exchanges short-lived tokens on demand.
• Uses a GitHub Environment npm-publish with required reviewers (both AgentSeal + Resham Joshi), so every release requires explicit human approval before publish runs.
• Adds --provenance flag, so every published version carries a cryptographic attestation linking it to the exact commit + workflow that built it.
• Fails fast if the tag version does not match package.json version. Runs tests before publishing.

Prerequisites before merge actually produces a publish

1. Create GitHub Environment npm-publish at https://github.com/AgentSeal/codeburn/settings/environments with both AgentSeal + Resham Joshi as required reviewers.
2. Register Trusted Publisher on npmjs.com at https://www.npmjs.com/package/codeburn/access with owner=AgentSeal, repo=codeburn, workflow=publish-npm.yml, environment=npm-publish.
3. After OIDC is confirmed working on a test publish: revoke the existing classic NPM auth token.

Merging this PR does not trigger a publish by itself. The next v* tag push will.

Test plan

• After merge, bump to a pre-release version (e.g. 0.7.4-rc.0), tag v0.7.4-rc.0, push
• Confirm workflow starts and waits at the Environment approval gate
• Approve as AgentSeal; confirm it publishes with provenance
• Verify on npmjs.com that the version has a green "provenance" badge
• Revoke the old classic NPM token