Add npm package publishing workflow

Set up automated publishing to npm when a new release is tagged.

**Acceptance Criteria:**
- Add GitHub Actions workflow for npm publish
- Trigger on new GitHub release/tag
- Build and run tests before publishing
- Publish with provenance for supply chain security
- Add NPM_TOKEN secret documentation

**Files:** new file `.github/workflows/publish.yml`, `package.json`