feat: external sourcemap upload for compiled binaries

Two-step build: bundle TS → JS+sourcemap, then compile JS → binary.
The sourcemap is uploaded to Sentry for server-side stack trace
resolution, never shipped to users in the binary.

Verified end-to-end: stack traces in Sentry now show original function
names (throwApiError, unwrapResult) and file paths
(src/lib/api/infrastructure.ts:48) instead of minified names (G8, W41)
and //root/bin.js.

Impact vs current (no sourcemaps):
  Download size: +0.04 MB gzipped (+0.1%)
  Delta patches:  +0.83 KB per release
  Binary size:   +0.54 MB raw (+0.5%)

Build changes:
- script/build.ts: Step 1 bundles with external sourcemap,
  sentry-cli injects debug IDs + uploads with //root/ prefix,
  Step 2 compiles the JS without re-minifying
- CI: passes SENTRY_AUTH_TOKEN to build-binary job for upload
- Intermediate JS/map files cleaned up after compile

Author: BYK

.github/workflows/ci.yml

@@ -225,6 +225,8 @@ jobs:
       - name: Build
         env:
           SENTRY_CLIENT_ID: ${{ vars.SENTRY_CLIENT_ID }}
+          # Sourcemap upload to Sentry (non-fatal, skipped when token is absent)
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           # Set on main/release branches so build.ts runs binpunch + creates .gz
           RELEASE_BUILD: ${{ github.event_name != 'pull_request' && '1' || '' }}
         run: bun run build --target ${{ matrix.target }}