ci(extension): add lint, build, and dual-marketplace release workflows

`extension-ci.yml`: triggers on push and PR to `main` whenever anything
in `extension/` changes. Runs lint, typecheck, build, and `vsce
package`, then uploads the resulting `.vsix` as an artefact for manual
smoke testing (download from the Actions run, install via "Extensions:
Install from VSIX..." in any VS Code-compatible editor).

`extension-release.yml`: triggers on `v*` tags so engine release tags
fire the extension release in lockstep, with manual dispatch as a
fallback. Builds the `.vsix`, then publishes to:

- VS Code Marketplace via `vsce publish` (using the `VSCE_PAT` repo
  secret).
- Open VSX Registry via `ovsx publish` (using the `OVSX_PAT` repo
  secret).

When triggered by a tag, also attaches the `.vsix` to the GitHub
release so users on Open VSX-less editors can grab it directly.

Both workflows are scoped to the `extension/` working directory so
engine-only changes don't trigger them, and they rely on the
extension's own `package-lock.json` for npm caching. Permissions
follow least-privilege: workflow-level `contents: read`, with
`contents: write` granted only to the publish job for the GitHub
release upload step.

.github/workflows/extension-ci.yml

@@ -0,0 +1,55 @@
+name: Extension CI
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "extension/**"
+      - ".github/workflows/extension-ci.yml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "extension/**"
+      - ".github/workflows/extension-ci.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  lint-build-package:
+    name: Lint, typecheck, build, package
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: extension
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: extension/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Typecheck
+        run: npm run typecheck
+
+      - name: Build
+        run: npm run compile
+
+      - name: Package .vsix
+        run: npm run package
+
+      - name: Upload .vsix artefact
+        uses: actions/upload-artifact@v4
+        with:
+          name: socraticode-vsix
+          path: extension/*.vsix
+          if-no-files-found: error
+          retention-days: 7

.github/workflows/extension-release.yml

@@ -0,0 +1,60 @@
+name: Extension Release
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Publish .vsix to VS Code Marketplace and Open VSX
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: extension
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: extension/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Typecheck
+        run: npm run typecheck
+
+      - name: Build
+        run: npm run compile
+
+      - name: Package .vsix
+        run: npm run package
+
+      - name: Publish to VS Code Marketplace
+        env:
+          VSCE_PAT: ${{ secrets.VSCE_PAT }}
+        run: npm run publish:vsce
+
+      - name: Publish to Open VSX
+        env:
+          OVSX_PAT: ${{ secrets.OVSX_PAT }}
+        run: npm run publish:ovsx
+
+      - name: Upload .vsix to GitHub release
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: softprops/action-gh-release@v2
+        with:
+          files: extension/*.vsix
+          fail_on_unmatched_files: false