CI/CD validation

Every PR runs contract validation (including icon policy checks) and uploads a JSON artifact that SurfaceOps can ingest. Minimal workflow:

- run: pnpm install --frozen-lockfile
- run: pnpm examples:build-manifest
- run: pnpm examples:test-edge
- run: pnpm run validate:ci

# Icon policy outcomes in CI/CD time:
# icon.source-disallowed + policy=warn   => warning visibility, exit 0
# icon.source-disallowed + policy=strict => blocking error, exit 20

CI/CD time is authoritative for icon-source policy. `icon.source-disallowed` stays non-blocking in warn mode and becomes blocking in strict mode, while artifacts remain available for SurfaceOps review.