Packaged artifacts validator: 16/16 preflight checks

## Что это Preflight validator (`scripts/preflight.ts`) проверяет release-artifact на 16 критериев: 1. Signature valid (Mac codesign / Win signtool / Linux GPG) 2. Notarization stapled (Mac) 3. Entitlements correct (Mac hardened runtime) 4. CSP injected на all HTML 5. Source maps stripped (или published к sourcemap-server отдельно) 6. SBOM (CycloneDX) включен 7. Version metadata consistent (`package.json`, `CHANGELOG.md`, git tag) 8. Bundle size в budget (≤ 200KB main + lazy chunks ≤ 500KB each) 9. No `dev` dependencies в production tree 10. License file present 11. Icons all sizes (16, 32, 64, 128, 256, 512, 1024) 12. Auto-updater URL signed manifest 13. Crash reporter wired 14. Audit-log schema initialized в bundled DB 15. CSP report-URI accessible 16. Healthcheck endpoint responsive Failed check → red, blocks release. CI reports выводят preflight в release notes. Компоненты: `scripts/preflight.ts`, `.github/workflows/release.yml`. ## Зачем Without single source of truth «is this artifact releasable?» каждый release — manual checklist с человеческой ошибкой. 16/16 gate делает «press button → release» безопасным и идемпотентным. ## Источники вдохновения - [openclaw/clawsweeper](https://github.com/openclaw/clawsweeper) — CI triage automation - [linear/linear-release](https://github.com/linear/linear-release) — release tracking automation - [steipete/ReleaseBar](https://github.com/steipete/ReleaseBar) — release freshness dashboard ## 🔗 Linear - [PZD-419](https://linear.app/kuhjie/issue/PZD-419) — backing ticket