BUILD [SCMS] Prepare Skulk for npm publishing (auth, scope, CI)

[AdaInTheLab]

🧭 What this PR does

This PR prepares Skulk CLI for safe, repeatable publishing to npm, with a strong focus on automation hygiene and clear contracts.

Highlights

• Aligns npm package scope with the official org: @thehumanpatternlab/skulk
• Adds a tag-based npm publish workflow (CI-only, no accidental publishes)
• Introduces SKULK_TOKEN and SKULK_BASE_URL as the public configuration interface
• Keeps dry-run and JSON output semantics deterministic and automation-safe
• Verifies publish payload via npm pack and npm publish --dry-run

---

🔐 Security & Auth Model

• Publishing

  • Uses a granular npm automation token
  • Scoped to @thehumanpatternlab/*
  • Stored as a GitHub Actions secret (NPM_TOKEN)
  • Publishing only triggers on version tags (vX.Y.Z)

• Runtime

  • API auth via SKULK_TOKEN
  • API target via SKULK_BASE_URL or --base-url
  • No secrets are logged or committed

---

📦 npm Packaging Notes

• CLI entry wired via bin (skulk → dist/index.js)
• Published files are explicitly whitelisted
• Build output verified locally via tarball install
• Tests are excluded from the published artifact

---

✅ Verification

• npm run build
• npm pack
• Global install from tarball
• skulk --help / skulk --version
• npm publish --dry-run (scope + contents verified)
• CI publish workflow added (tag-based)

---

🐈 Carmel Judgment

“The offering is coherent. The blast radius is acceptable.” 😼✨

Ready for merge → tag → first publish.

[github-actions]

😼🔥 Carmel Chaos Stamp™

I sense weakness in these tests.

[github-actions]

😼✨ Carmel Approval Stamp™

Adequate work, human.