Ships the release side of Step 3.3: tagging vX.Y.Z on main produces a
GitHub release with cross-platform archives + SHA256SUMS, and every
binary self-identifies via `workmem version`.

Changes:
- cmd/workmem: add `version`/`--version`/`-v` command. Build metadata
  (version, commit, buildDate) lives in package-level vars overridden
  at link time via `-ldflags -X main.version=...`. Source builds and
  `go install` report "workmem dev"; tagged release binaries report
  the real vX.Y.Z + 7-char commit SHA + ISO-8601 build timestamp.
- .github/workflows/release.yml: new workflow triggered on `v*` tag
  push. Matrix builds 5 targets (darwin/linux amd64+arm64, windows
  amd64), packages each as tar.gz (unix) or zip (windows) with the
  binary + LICENSE + README inside a top-level directory, uploads
  to a per-matrix artifact. Second job downloads all archives,
  generates SHA256SUMS, detects pre-release suffixes (rc/alpha/beta/
  pre/dev) and calls `gh release create --generate-notes` to publish.
- README.md: rewrite Install section with three paths — Homebrew tap
  (placeholder until the tap repo exists), direct download with
  SHA256SUMS verification + Gatekeeper note, build from source incl.
  `go install`. Fix a duplicated License line.
- IMPLEMENTATION.md: Step 3.3 items refreshed — CI cross-builds and
  release binaries now [x]; Homebrew tap and fresh-machine validation
  remain [ ] pending the first actual tag + tap repo creation.

Two real catches:

- cmd/workmem: the local variable holding *mcpserver.Runtime in
  runMCP was named `runtime`, which shadows the stdlib `runtime`
  package now imported for `runtime.Version()`. Rename to `rt` so
  the shadowing is gone and future readers aren't confused about
  which `runtime` is in scope.
- .github/workflows/release.yml: the top-level directory inside
  the tar.gz/zip was `workmem-<os-arch>` but the README install
  commands extract into `workmem-<os-arch>-vX.Y.Z/`. Align the
  packaging so the dir inside the archive carries the version
  suffix too. Archive filename was already versioned, only the
  inner dir was out of sync.

- README: replace "single static binary" with "single self-contained
  binary, no external runtime dependencies". Go binaries with
  CGO_ENABLED=0 still link dynamically against libSystem on macOS
  and kernel32 on Windows; "static" was technically inaccurate.
- README: the `shasum --ignore-missing` flag does not exist on macOS
  shasum (only on GNU sha256sum). Switch the verification recipe to
  `grep "<archive>" SHA256SUMS | shasum -a 256 -c`, which only
  verifies the archive the user actually downloaded and works
  identically on macOS and Linux without GNU-specific flags.
- IMPLEMENTATION.md: the Step 3.3 CI cross-builds description read
  "darwin/linux/windows × amd64/arm64" but the matrix has no
  windows/arm64 target. Replace with the actual 5-target list to
  keep the doc honest about what ships.

- README: the single `shasum -a 256 -c` recipe does not work out of
  the box on Linux — many distros ship `sha256sum` (GNU coreutils)
  but not `shasum` (Perl-based BSD/macOS). Split the example into
  two blocks so the macOS verification uses `shasum` and the Linux
  one uses `sha256sum`, with archive names matching the typical
  platform for each.
- release.yml: the pre-release detection regex `-(rc|alpha|beta|pre|
  dev)` matched the suffix anywhere in the tag name, which would
  treat `v1.0.0-preview` as a pre-release because "-pre" appears
  in the middle. Anchor to end-of-string with `$` and allow
  optional trailing digits (e.g. `-rc1`, `-beta2`) so only
  genuinely pre-release suffixes trigger the flag.