Fix trusted npm latest release path

[jeremymcs]

Summary

• keep trusted latest releases from consuming the version on the dev tag before prod approval
• add a trusted latest package check before the protected production job
• publish latest with npm trusted publishing in production, while keeping token-only dist-tag promotion as an explicit fallback

Verification

• npm --prefix npm test
• npm --prefix npm run build
• npm --prefix npm run verify:release-tag -- v0.2.0
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/npm-publish.yml"); puts "yaml ok"'
• git diff --check

---

Note

Medium Risk
Changes production npm release sequencing and trusted vs token paths; mistakes could block releases or publish at the wrong stage, but scope is limited to CI workflow logic.

Overview
Reworks the latest channel path when publish_auth is trusted so the version is not published to @dev before production approval.

prerelease-publish is skipped for trusted, non–dry-run latest runs. A new trusted-latest-check job runs the same pre-publish gates (release tag, GitHub release assets, npm test/build, npm pack --dry-run) without touching the registry.

prod-release-plan and prod-release now advance when either trusted-latest-check or prerelease-verify succeeds; the production version is taken from release-input, not the prerelease job. In prod-release, trusted mode performs a single OIDC npm publish --tag latest after the prod environment; token mode keeps npm dist-tag add promotion only, with token verification steps gated to publish_auth=token.

Workflow input descriptions are updated to match this behavior.

^{Reviewed by Cursor Bugbot for commit 5c83b0b. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

^{Need help on this PR? Tag /codesmith with what you need. Autofix is enabled.}