feat(npm): @pineforge/codegen-pyodide package + dry-run-safe publish (Phase 3a)

[luisleo526]

Summary

Phase 3a of the conformance flow (spec §7/§8). Produces the publishable @pineforge/codegen-pyodide — the single artifact the app will consume — and moves the codegen table introspection into this repo.

Package contents (built at publish time from the gate-validated archive — release.json.sha256 ties the archive ↔ unpacked source ↔ metadata):

• pineforge_codegen-<ver>.tar.gz — the exact archive the gate validated
• pineforge_codegen/ — unpacked source (for the app's Node oracle/grammar tooling, no submodule)
• tables.json — 52 introspected tables (the app renders tables.generated.ts from this)
• release.json — {codegen, pyodide, python, emscripten, sha256}
• index.mjs — resolves all of the above

Pieces

• scripts/dump-tables.py — introspection → tables.json
• scripts/build-npm-package.mjs — assembles npm/ by extracting source from the validated archive (single source of truth)
• npm/package.json (@pineforge/codegen-pyodide, PolyForm license, pyodide peer) + npm/index.mjs
• .github/workflows/publish-pyodide.yml — gate-first, npm OIDC (mirrors codegen-mcp), dry-run-safe

Dry-run-safe

Nothing ships until the one-time bootstrap (npm/README.md): first manual publish + per-package trusted-publisher config for this NEW package. Real publish only via workflow_dispatch with dry_run=false; tag pushes dry-run only.

Deferred to Phase 3b (app side)

Consume this package, drop the vendor/pineforge-codegen submodule, repoint all ~12 consumers, and the byte-for-byte tables.json → tables.generated.ts regression.

Test plan

• publish-pyodide.yml dry-run runs green on a clean runner (gate 275 + npm publish --dry-run).
• Local: gate 275 PARITY OK; npm pack --dry-run clean (37 files, no strays); index.mjs resolves.

🤖 Generated with Claude Code