chore: enforce dependency release age checks

[Egge21M]

Description

Adds a 7-day npm package release-age gate for Bun installs and CI validation.

Problem

Bun's resolver gate only affects new dependency resolution. Committed bun.lock entries still need explicit validation so too-new package versions cannot slip through by lockfile update.

Summary

• Add minimumReleaseAge = 604800 in bunfig.toml.
• Add a Bun lockfile audit script backed by npm registry publish timestamps.
• Run the audit in package build CI, publish CI, and a dedicated dependency-age workflow.
• Update workflow Bun pins to 1.3.11 so CI uses a Bun version with release-age support.

Verification

• bun run security:release-age
• env BUN_TMPDIR=/tmp/codex-bun-tmp BUN_INSTALL=/tmp/codex-bun-install bun install --frozen-lockfile
• bun run format:check
• git diff --check

Changeset

• Not added; this is repo security/CI tooling and does not change published package runtime APIs.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f896114

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.88%. Comparing base (8b77b95) to head (f896114).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #173   +/-   ##
=======================================
  Coverage   85.88%   85.88%           
=======================================
  Files         130      130           
  Lines       16939    16939           
=======================================
  Hits        14548    14548           
  Misses       2391     2391           

Flag	Coverage Δ
core-integration	50.13% <ø> (ø)
core-unit	90.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.