Motivation

• Implement a deterministic dev->main release flow where version bumps happen on dev, dev -> main PRs are auto-merged, tags and GitHub Releases are created on the exact main commit, Windows artifacts are built/uploaded, the crate is published to crates.io, and main is synced back into dev automatically.
• Ensure tag-triggered workflows run reliably by creating tags/releases and performing release operations with a PAT (RELEASE_PAT) rather than GITHUB_TOKEN where appropriate.
• Keep flows minimal, deterministic, and CI-driven because the runner cannot build or test Windows artifacts locally.

Description

• Add/modify Justfile to provide two PowerShell-friendly recipes: bump VERSION which updates package.version in Cargo.toml, updates Cargo.lock if tracked, and commits the change, and publish which validates branch/working-tree and opens a dev -> main PR with gh then enables auto-merge (squash); both recipes are Windows PowerShell compatible.
• Add ci workflow (.github/workflows/ci.yml) that runs on PRs and pushes to dev and main and performs cargo fmt --check, cargo clippy (deny warnings), and cargo test on ubuntu-latest.
• Add tag-and-release workflow (.github/workflows/tag-and-release.yml) that triggers on pushes to main, reads the Cargo.toml version via python/tomllib, computes v{version}, creates an annotated tag on the exact main commit if missing, pushes the tag using RELEASE_PAT, and creates a GitHub Release (idempotent checks for existing tag/release); uses actions/checkout with fetch-depth: 0 and avoids persisted credentials.
• Add release workflow (.github/workflows/release.yml) that triggers on tags v*.*.*, builds on windows-latest, packages the .exe and a zip bundle (including README.md/LICENSE if present), generates SHA256 files, uploads assets to the GitHub Release via gh authenticated with RELEASE_PAT, publishes to crates.io via cargo publish using CARGO_REGISTRY_TOKEN, and then creates/updates a main -> dev sync PR and enables auto-merge; all steps include idempotency checks.

Testing

• Ran cargo +nightly fmt --check which completed successfully on the host.
• Ran cargo +nightly clippy --all-targets --all-features -- -D warnings which failed on this non-Windows host due to unresolved windows-crate platform artifacts (expected for Windows-native code).
• Ran cargo +nightly build --features debug-tracing which failed on this non-Windows host for the same windows-crate platform reasons.
• Ran cargo +nightly test --locked which failed on this non-Windows host for the same platform reasons.

Codex Task