chore: enforce dependency release age checks

[Egge21M]

Description

Adds a 7-day npm package release-age gate for Bun installs and CI validation.

Problem

Bun's resolver gate only affects new dependency resolution. Committed bun.lock entries still need explicit validation so too-new package versions cannot slip through by lockfile update.

Summary

• Add minimumReleaseAge = 604800 in bunfig.toml.
• Add a Bun lockfile audit script backed by npm registry publish timestamps.
• Run the audit in package build CI, publish CI, and a dedicated dependency-age workflow.
• Update workflow Bun pins to 1.3.11 so CI uses a Bun version with release-age support.

Verification

• bun run security:release-age
• env BUN_TMPDIR=/tmp/codex-bun-tmp BUN_INSTALL=/tmp/codex-bun-install bun install --frozen-lockfile
• bun run format:check
• git diff --check

Changeset

• Not added; this is repo security/CI tooling and does not change published package runtime APIs.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6b2358f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.84%. Comparing base (74cf660) to head (6b2358f).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #173   +/-   ##
=======================================
  Coverage   79.84%   79.84%           
=======================================
  Files         108      108           
  Lines       11783    11783           
=======================================
  Hits         9408     9408           
  Misses       2375     2375           

Flag	Coverage Δ
core-integration	61.36% <ø> (ø)
core-unit	81.23% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.