npm: distribute binary via optional platform packages

[l-hellmann]

What Type of Change is this?

• New Feature
• Fix
• Improvement
• Release
• Other

Description (required)

Reworks npm distribution from a postinstall-time download to per-platform packages selected via optionalDependencies + os/cpu fields (the pattern used by esbuild/swc/biome, described in Sentry's "Publishing binaries on npm").

Why: Bun (and other managers / hardened setups) block postinstall scripts by default, so the binary was never downloaded and zcli failed with You have not installed zcli-.... Simply moving the download to first-run (see #260) fixes Bun but regresses the existing install base: EACCES on global installs run by a non-root user, no longer self-contained Docker/CI images, network required at first run, and stale binaries on upgrade. Delivering the binary through a normal optional dependency sidesteps all of that — Bun honors os/cpu, and the binary arrives at install time exactly like before, with the package manager guaranteeing the version matches.

What changed:

• Main package (tools/npm) is now a thin launcher: bin/zcli.js resolves the matching platform binary via require.resolve (lib/resolve.js + lib/platforms.js) and execs it, forwarding args and exit code. Removed the axios/tar/rimraf download machinery and the postinstall/preuninstall scripts.
• scripts/build-platform-packages.mjs generates one publishable package per platform (os/cpu, version, binary in bin/) from the release binaries.
• Release pipeline builds the platform packages and publishes them before the main package so its optionalDependencies resolve.
• The npm packages ship the channel=npm binaries (the ones that make zcli upgrade defer to npm instead of self-updating), which goreleaser only emits inside the *-npm.tar.gz archives. The publish job downloads and extracts those rather than the raw channel=manual release assets. goreleaser itself is unchanged by this PR.
• Added a post-publish smoke-test CI job: installs the just-published @zerops/zcli across linux / macOS (arm64 + amd64) / Windows via npm, plus Bun on linux/macOS, and runs zcli version. A broken release (missing platform package, os/cpu mismatch, Bun incompatibility, lost exec bit) fails CI immediately instead of surfacing in user reports.
• Pre-release support: the publish + smoke-test jobs now also run on GitHub prereleased events, publishing under the next dist-tag instead of latest. npm i @zerops/zcli keeps getting the latest stable; a pre-release is installable via @zerops/zcli@next (and bun add @zerops/zcli@next) for testing without affecting existing users. Promote a tested pre-release to stable with a full GitHub release (or npm dist-tag add @zerops/zcli@<version> latest).

Notes / open questions:

• No postinstall fallback (the Sentry post keeps one for managers run with --no-optional/--ignore-optional). Left out to stay clean and Bun-safe; we surface a clear error instead. Easy to add if wanted.
• Relies on npm publish preserving the executable bit on the binary (same assumption esbuild makes; build script sets chmod 755). Verified: the packed tarball keeps -rwxr-xr-x.
• The smoke-test job is a post-publish detector, not a pre-publish gate — the package is already live when it runs, so a failure alerts rather than prevents. A Verdaccio-based pre-publish gate is possible if we want one.
• The Discord report job still fires only on full releases, not pre-releases.

Tested locally end-to-end with a fake binary set: build script output (os/cpu/version, Windows .exe), resolver, launcher arg/exit-code forwarding, and the missing-package error path. goreleaser check passes, and npm publish --dry-run / npm pack confirm the file list and exec bit.

Related issues & labels (optional)

• Relates to fix: remove dependency on postinstall script #260 (alternative to the runtime-download approach)