ci: add npm-only release workflow to recover npm registry drift

[wesleysimplicio]

Motivation

• Provide a safe, manual recovery path for cases where PyPI has already been published but the npm registry is still behind (registry drift).
• Avoid re-running the dual PyPI+npm release.yml workflow when only npm needs to be repaired, reducing risk of double-publishing Python artifacts.

Description

• Add a new GitHub Actions workflow .github/workflows/npm-release.yml that accepts ref and version inputs and performs an npm-only publish flow.
• The workflow checks out the requested ref, sets up Node/npm auth, verifies package.json matches the expected version, runs npm whoami using NPM_TOKEN, and runs npm pack --dry-run before publishing.
• After npm publish --access public the workflow verifies the public registry with npm view and the latest dist-tag, and runs npx simplicio-prompt@<version> --version plus a --raw smoke check that searches for Compose with simplicio-cli.
• Update CONTRIBUTING.md with guidance to prefer the new manual npm release workflow when npm has fallen behind PyPI, and document the verification steps performed by the workflow.

Testing

• Ran npm test (Node + Python suites) and all automated tests passed across the local suites (Node CLI/hooks/cache/targets and Python unittest discovery).
• Ran npm pack --dry-run which produced simplicio-prompt-1.12.0.tgz as a successful dry-run of the npm package.
• Ran npm whoami locally which failed with ENEEDAUTH, confirming this environment is not authenticated to publish to npm and that the workflow requires a repository NPM_TOKEN secret for real publication.

---

Codex Task