fix: update deps, Node 22, OIDC release, validate

[mhweiner]

Summary

• Dependencies: eslint 10 + flat config, kizu 4, typescript 5.6, ajv 8.18, typescript-eslint 8. Remove c8. Add validate script and --fix on lint.
• CI: Node 22 for release and typecheck; keep matrix [18, 20, 22, 24] for PR tests.
• Release: OIDC trusted publishing (no NPM_TOKEN). Remove NPM_CONFIG_PROVENANCE (automatic with OIDC). Use npm run validate, Node 22, npx autorel@^2 --publish.

Test plan

• npm run validate passes
• npm audit 0 vulnerabilities