Add repository release signature guard

[Davidrsdiaz]

/claim #10

Summary

• Adds a self-contained repository release signature guard for issue Project Repository & Version Control #10.
• Validates signed tag and commit evidence, release attestation target parity, DOI/citation target parity, export bundle manifest hashes, component hash coverage, and upstream fork attribution before a scientific repository version is published or exported.
• Generates deterministic JSON, Markdown, SVG, and H.264 MP4 reviewer artifacts from synthetic data only.

Demo

• repository-release-signature-guard/reports/demo.mp4
• repository-release-signature-guard/reports/release-signature-summary.svg

Validation

• node repository-release-signature-guard/test.js
• node repository-release-signature-guard/demo.js
• node repository-release-signature-guard/make-demo-video.js
• node --check repository-release-signature-guard/index.js
• node --check repository-release-signature-guard/sample-data.js
• node --check repository-release-signature-guard/demo.js
• node --check repository-release-signature-guard/test.js
• node --check repository-release-signature-guard/make-demo-video.js
• ffprobe -v error -select_streams v:0 -show_entries stream=codec_name,width,height,duration,nb_frames -show_entries format=size,duration -of default=noprint_wrappers=1 repository-release-signature-guard/reports/demo.mp4 -> H.264, 1280x720, 4.0s, 48 frames
• git diff --check
• git diff --cached --check

Safety

Synthetic fixtures only. No Git provider, GPG, Sigstore, DataCite, Crossref, package registry, wallet, credential store, private repository, or external service calls are used.