chore: update slophammer-ts to ^0.3.0 and run checker in CI

[osolmaz]

Summary

The slophammer-ts devDependency was pinned at ^0.1.2, and CI only ran the DRY gate — never slophammer-ts check itself, so the rule config in slophammer.yml was effectively decoration.
This change bumps the checker to ^0.3.0, migrates the config to the nested shape the checker now requires, and adds the missing check invocation to both CI and the publish workflow.
0.3.0 enforces exactly this: a repo with a slophammer config must run the checker in CI that can actually fail.

What Changed

The dependency, the config shape, and the CI wiring moved together.

• package.json / package-lock.json: slophammer-ts ^0.1.2 → ^0.3.0, plus a new "slophammer": "slophammer-ts check ." script.
• slophammer.yml: coverage_threshold → coverage.threshold, complexity_max → complexity.max, mutation_targets → mutation.targets.
• .github/workflows/ci.yml and publish.yml: a npm run slophammer step after the existing dry and mutate steps.

Testing

I ran the full gate chain locally against the released 0.3.0 package.

• npm run check (format, lint, typecheck, test, coverage, build) — passes
• npm run dry — 0 candidates
• npm run mutate (Stryker dry-run) — passes
• npm run slophammer — OK: no findings, scope: 12 of 12 production files

Risks

Low. The new CI step can only fail if the checker finds a real regression, which is its purpose; everything passes today.