chore(repo): configure npm trusted publishing with OIDC

[zrosenbauer]

Summary

• Replace legacy NPM_TOKEN secret with GitHub Actions OIDC authentication for npm publishing
• Add repository metadata to all 5 packages for provenance validation
• Add patch changeset across all packages to trigger initial OIDC-based release

Changes

• .github/workflows/release.yml: Add permissions block (contents: write, pull-requests: write, id-token: write), replace NODE_AUTH_TOKEN with NPM_CONFIG_PROVENANCE: true
• packages/*/package.json: Add repository field with GitHub URL and package directory to all 5 packages (core, cli, bundler, config, utils)
• .changeset/setup-npm-trusted-publishing.md: Patch changeset for all packages

Manual steps required after merge

1. Publish placeholder packages to npm (or do initial publish) for all @kidd-cli/* packages
2. Configure trusted publishers on npmjs.com for each package (org: joggrdocs, repo: kidd, workflow: release.yml)
3. Delete the NPM_TOKEN secret from GitHub repo settings

Testing

• Verify CI passes
• Confirm trusted publishers are configured on npmjs.com before merging
• Validate first OIDC-based publish succeeds after merge