feat: code signing improvements, set-public-key command, and test suite

[ciehanski]

Changes

Features

• Upgrades code signing from a raw base64 signature to a proper RS256 JWT
  embedded as CodePush/.codepushrelease inside the release zip. This aligns
  with what the SDK expects on-device for bundle integrity verification.
• Adds dpctl app set-public-key <appName> <publicKeyPath> command to upload
  an RSA public key to an app directly from the CLI.
• --private-key now accepts either a file path or inline PEM content, making
  it easier to use in CI environments where the key is stored as a secret
  environment variable.

Fixes

• Resolves package.json path for compiled bin/ output so dpctl --version
  works correctly when installed globally.
• Updates rimraf to v4 promise-based API.
• Renames tmp directory from DeployPulse to dpctl.

Tests & CI

• Adds Mocha test suite with ts-node runner covering CLI commands, hash
  utilities, and the management SDK.
• Adds GitHub Actions test workflow that runs on every push and PR to main.

Breaking Change

The code signing format has changed from a raw base64 signature to an RS256 JWT.
If you were already using --private-key with the previous release, you will
need to update your app's signature verification logic accordingly.