ci: add auto-publish to npm with changesets and provenance

[mattapperson]

Summary

• Add CI workflow for PR validation (lint, typecheck, test)
• Add release workflow using changesets/action with npm provenance signing (Sigstore/OIDC)
• Configure @changesets/cli with GitHub changelog generation
• Replace workspace:* dependency on @openrouter/sdk with latest
• Add pnpm-lock.yaml

Setup required after merge

1. Create an npm granular access token scoped to @openrouter/agent with publish permissions
2. Add it as NPM_TOKEN in GitHub repo Settings → Secrets → Actions
3. Optionally create an npm-publish environment in repo settings (allows adding required reviewers)

Release workflow

# In a PR branch, add a changeset:
pnpm changeset

# Merge PR → bot opens a "Version Packages" PR
# Merge that → publishes to npm with provenance

Test plan

• Verify CI workflow runs on this PR (lint, typecheck, test)
• After merge, confirm the release workflow triggers
• After configuring NPM_TOKEN, verify a test publish works with provenance