feat(sync-releases): show artifact details, verify GPG, allow custom rollout (#58)

* feat(sync-releases): show artifact details, verify GPG, allow custom rollout

The previous production prompt was a single y/N with no artifact context, no
way to override the hardcoded 10% rollout, and no signature verification. An
operator confirming a release this way had to trust that the right files were
in S3 and that the .sig was issued by the OTA root key — neither was visible.

Changes:
* Print full artifact summary before the prompt: URL, sha256, compatibleSkus,
  and signature status for each artifact.
* Verify each .sig file with gpg --status-fd=1 and check the primary key
  fingerprint against OTA_ROOT_KEY_FPR (mirrored from rv1106-system's
  release_r2.sh). Reports valid / wrong-root / invalid / missing-pubkey /
  gpg-unavailable / absent, with a loud WARNING line for wrong-root and
  invalid signatures so the operator cannot miss them.
* Print the latest already-synced release of the same type before the prompt
  so the operator can confirm this is the next expected version.
* Add an interactive rollout-percentage prompt with 10% default, validated to
  0-100, replacing the hardcoded 10.
* Add an `a`/`abort` answer alongside y/N so operators can stop a multi-
  release sync mid-run when they spot something wrong, instead of having to
  N through every remaining version.
* Print the DB target and bucket as the first line of main() so a wrong
  .env.production selection is obvious before any prompts fire.
* Print a final run summary with counters: created / skipped-by-user /
  already-synced / no-artifacts, plus an "aborted at <type> <version>" line
  when the run was cut short.
* Add `npm run sync-releases:production` script and ignore .env.production.

Verification path runs only when NODE_ENV=production, so non-prod runs and
the test suite never spawn gpg or download artifacts. All 52 existing tests
still pass; tsc build is clean.

* refactor: hoist objectKeyFromArtifactUrl into helpers

Both src/releases.ts and scripts/sync-releases.ts had their own copy of the
same URL-to-S3-key conversion. Moved into src/helpers.ts and imported from
both call sites so a future change (e.g. CDN path prefix handling) only needs
to land once.

* fix(sync-releases): only treat ERRSIG rc=9 as missing pubkey

GnuPG's ERRSIG line carries an `rc` reason code. rc=9 is the only one that
means "we don't have the signer's key" — rc=4 (unsupported algorithm) and
other codes are real verification failures. The previous implementation
collapsed every ERRSIG into noPubkey, which would have falsely told the
operator the OTA root key was missing when the actual problem was e.g. an
unsupported pubkey algorithm.

Now parses the rc field and surfaces non-9 ERRSIG codes as `invalid` with a
human reason (rc=4 → "unsupported algorithm", others → "gpg error code N").

Author: adamshiervani

.gitignore

@@ -3,3 +3,4 @@ node_modules
 dist/
 .env
 .env.development
+.env.production

package.json

@@ -12,6 +12,7 @@
     "prisma-migrate": "prisma migrate deploy",
     "seed": "NODE_ENV=development node -r ts-node/register --env-file=.env.development ./scripts/seed.ts",
     "sync-releases": "NODE_ENV=development node -r ts-node/register --env-file=.env.development ./scripts/sync-releases.ts",
+    "sync-releases:production": "NODE_ENV=production node -r ts-node/register --env-file=.env.production ./scripts/sync-releases.ts",
     "build": "tsc",
     "test": "vitest run",
     "test:watch": "vitest",