Set up OIDC trusted publishing for npm + JSR (one-time, no tokens)

[bdelanghe]

The release pipeline is already wired for OIDC trusted publishing — release.yml's publish job runs npm publish --access public --provenance and npx jsr publish authenticated by the workflow's OIDC identity (id-token: write). No NPM_TOKEN/NODE_AUTH_TOKEN.

The only blocker to publishing is the one-time, registry-side trust config (account-side settings, not CI secrets). Until it's done, the publish job will fail on a release tag.

npm

• Configure trusted publishing for @bounded-systems/mint on npmjs.com → link the trusted publisher to repo bounded-systems/mint, workflow .github/workflows/release.yml.
• (If the package name has never been published) handle the first-publish bootstrap per npm's trusted-publishing flow.

JSR

• Create the @bounded-systems scope on jsr.io (if not present).
• Create the @bounded-systems/mint package and link it to the GitHub repo (enables OIDC publish from Actions).

Acceptance criteria

• Cutting a vX.Y.Z tag (via mint release) publishes to both registries automatically, with no token in CI.
• npm view @bounded-systems/mint version shows the release; npm provenance badge present.
• The JSR package page shows the version.
• Re-run validates idempotency / correct version gating.

Notes

• jsr.json exists and mint version keeps it in lockstep with package.json + lockfile.
• This is the last open item from the mint capability spec — Build @bounded-systems/mint — versioning capability (deterministic seam over semver) string-audit#43.
• Publishing auth here is OIDC only; do not add registry token secrets.