fix(ci): npm publish preflight + clear-error-on-missing-token

[imzzaidd]

Summary

The Release workflow's npm publish step failed on the v0.15.5 tag push with:

```
npm error 404 Not Found - PUT https://registry.npmjs.org/@vizzor%2fcli
npm error 404 '@vizzor/cli@0.15.5' is not in this registry.
```

This is a misleading error — `@vizzor/cli` IS on npm (latest 0.15.2). npm disguises 401/403 (auth failures) as 404 to avoid leaking scope existence. The actual cause is that the `NPM_TOKEN` repo secret is missing, empty, or revoked.

Fix

• Preflight step — fails the job immediately with a clear actionable message when `NPM_TOKEN` is empty, telling the operator exactly where to generate a Granular Access Token and where to paste it. No more cryptic 404 stares.
• `always-auth: true` on `setup-node` — forces the registry-auth header on every npm/pnpm op so the token isn't silently dropped on some pnpm versions.
• Strip `v` prefix from the tag explicitly before `npm version` — `v0.15.5` works on current npm-cli versions but the explicit strip makes the log readable and bullet-proofs against future cli changes.
• `workflow_dispatch` tag checkout — the existing dispatch input (`tag`) was accepted but the workflow checked out the default branch instead of the specified tag. Now it resolves correctly so a manual re-publish operates on the right commit.
• Triple env-var auth — sets `NODE_AUTH_TOKEN`, `NPM_TOKEN`, and `NPM_CONFIG_TOKEN` on the publish step so both npm's `.npmrc` flow and pnpm's direct env lookup find the token.

Operator action required

After this PR merges, generate a fresh Granular Access Token at:

https://www.npmjs.com/settings/imzzaidd/tokens/granular-access-tokens/new

Permissions: read and write on `@vizzor/cli`. Then:

Settings → Secrets and variables → Actions → New repository secret
Name: `NPM_TOKEN`
Value:

Then re-trigger:

```bash
gh workflow run "Release" --ref main -f tag=v0.15.5
```

The preflight will confirm the token is present, and the publish will proceed.