docs: add release runbook covering 6 SPOFs (S0-3) (#403)

Ship docs/release-runbook.md covering the six release-pipeline single
points of failure called out in MCP-7 S0-3:

1. macOS signing + notarization (codesign + notarytool)
2. Windows installer signing (SignPath today; D30-6 decision pending)
3. Claude release notes generation (Anthropic API, non-blocking)
4. Cloudflare R2 apt/yum publish (spec 043, stable tags only)
5. Homebrew tap bump (formula + cask)
6. `next` branch hygiene (prerelease pipeline as early signing canary)

Each SPOF section names the exact workflow job, required secrets, expiry
windows, and a recovery matrix — written so an on-call engineer can
unblock a failing release without re-reading the whole pipeline.

Cross-linked from specs/README.md under a new "Operational runbooks"
section.

Refs: MCP-9, MCP-7 (S0-3)

Co-authored-by: Claude Code <noreply@anthropic.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>

Author: 3 people