Publish TypeScript bindings to npm

[jupblb]

Wires up TypeScript binding publication to npm. Adds a publish-npm job to release.yaml (alongside the existing Rust/JVM/Go publish jobs) and prepares bindings/typescript for npm with proper entry points, an emitted dist/ build, and OIDC-backed provenance attestation.

Post-merge: claim the @scip-code scope on npm

npm versions are immutable — once 0.7.1 is published it can never be re-uploaded. The first publish therefore goes through npm publish --dry-run so we can preview the tarball contents before committing.

From a maintainer's machine on main:

cd bindings/typescript
nix develop -c npm ci
nix develop -c npm run build
cp ../../LICENSE LICENSE
nix develop -c npm publish --dry-run --access public

Review the printed tarball manifest — verify it contains dist/scip_pb.js, dist/scip_pb.d.ts, package.json, and LICENSE, and nothing else (no node_modules, no scip_pb.ts, no sourcemaps in excess).

When satisfied, claim the scope and publish:

# One-time: create the @scip-code org on https://www.npmjs.com/org/create
# Then log in as an account that owns (or is a publisher on) @scip-code:
nix develop -c npm login
nix develop -c npm publish --access public --provenance

This claims the @scip-code scope for the npm account and seeds it with @scip-code/scip@0.7.1. From the next release onwards the workflow handles publication automatically once the following repo secret is configured:

• NPM_TOKEN — a granular access token scoped to the @scip-code packages with Read and write permission. The workflow's id-token: write permission lets npm verify provenance against this workflow's identity, so unauthorized re-publishes from forks or other workflows are rejected.