docs + hardening: README polish, snippet DNT coverage, CI hardening

[Akayashuu]

Summary

• README: centered header with badges (npm, ≤1 kB snippet, zero-deps, license); clarified the privacy bullet to mention query-string stripping.
• Snippet: documented the intentional DNT divergence — the inline snippet checks only the standard '1' (legacy 'yes' is omitted to stay within the ≤1 kB budget; the full SDK honors both). Added a blocking test asserting DNT suppresses sending.
• CI hardening (both ci.yml and release.yml):
  • Third-party actions SHA-pinned (with version comments).
  • permissions: contents: read everywhere; id-token: write only on release for npm provenance.
  • concurrency cancellation, timeout-minutes, persist-credentials: false.
  • Release re-runs the full gate before publishing and emits a signed npm provenance attestation (NPM_CONFIG_PROVENANCE).

Test Plan

• pnpm lint / typecheck clean
• pnpm test — 89 passed (added DNT blocking test)
• pnpm size — 999 B < 1 kB
• All four workflow YAMLs validated

Note: npm provenance requires the package repository URL to match the GitHub repo the release runs in — verify before the next release.