Add required --allow-publish flag to npm trust commands

[rgarcia]

Summary

npm trust github ... now fails on npm 11.17 with "At least one permission flag is required (--allow-publish, --allow-stage-publish)". The release workflows run a plain npm publish, so --allow-publish is the correct grant. Updated all four npm trust invocations in docs/npm-releases.md and bumped the suggested npm install to ^11.17.0 to match the syntax.

Test plan

• npm trust --help on npm 11.17.0 confirms the flag and usage
• Docs-only change

🤖 Generated with Claude Code

---

Note

Low Risk
Documentation-only change to release setup instructions; no runtime or workflow code is modified.

Overview
Updates docs/npm-releases.md so trusted-publisher setup matches npm 11.17+, where npm trust github requires an explicit permission flag.

The doc now recommends npm install -g npm@^11.17.0 (was ^11.10.0) and adds --allow-publish to every npm trust github example for @onkernel/cua-ai, @onkernel/cua-agent, and @onkernel/cua-cli, including the post–first-publish CLI block for the CLI package.

^{Reviewed by Cursor Bugbot for commit 253cec2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

PRs in the kernel, infra, hypeman, and hypeship repos. kernel is a ~mono repo with many logical services underneath, ensure to focus on the implicated service for the PR

Reason: PR modifies only documentation (docs/npm-releases.md) and does not affect any of the monitored repos (kernel, infra, hypeman, hypeship); please opt in manually if deploy monitoring is needed.

To monitor this PR anyway, reply with @firetiger monitor this.