fix(08): verify tag matches pyproject.toml version in release workflow (WR-03)

Prevents publishing under a misleading GitHub Release tag when the
tag name does not match the version declared in pyproject.toml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ayhammouda

.github/workflows/release.yml

@@ -27,6 +27,16 @@ jobs:
       - name: Install dependencies
         run: uv sync --dev
 
+      - name: Verify tag matches package version
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          PKG_VERSION=$(uv run python -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])")
+          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+            echo "::error::Tag ${GITHUB_REF_NAME} does not match pyproject.toml version ${PKG_VERSION}"
+            exit 1
+          fi
+          echo "Version check passed: ${PKG_VERSION}"
+
       - name: Run linter
         run: uv run ruff check src/ tests/