feat: add npm workspace indexing support

[jojosenthusiast]

Fixes #394

Reproduction

scip-typescript supported Yarn classic, Yarn Berry, and pnpm workspaces, but had no npm workspace mode.

Fix summary

• Add --npm-workspaces / npmWorkspaces option support.
• Detect npm workspace package roots from root package.json workspaces arrays and { packages: [...] } objects.
• Add parser coverage for npm workspace array/object forms.
• Add an npm workspaces fixture with two packages and snapshot output.
• Normalize indexed project keys so Windows path separators do not produce duplicate SCIP documents.

Tests run

• git diff --check $(git merge-base upstream/main HEAD)..HEAD → pass
• Prettier check over committed changed files, respecting .prettierignore → pass
• ESLint over changed source files → pass
• tsc -b . --noEmit → pass
• node -r tsm src/CommandLineOptions.test.ts → pass, 9/9
• node -r tsm src/listNpmWorkspaces.test.ts → pass, 3/3
• npm-workspaces fixture smoke → pass; produced two documents (packages/a/src/a.ts, packages/b/src/b.ts) with no exact or slash-normalized duplicate paths and matching snapshots
• node node_modules/uvu/bin.js -r tsm src main.test exits non-zero locally due unrelated Windows/env fixture failures (invalid-package-json, pnpm-workspaces ENOENT); the npm-workspaces fixture itself passes.

Risk

Medium-low. This adds a new explicit npm workspace mode and keeps existing Yarn/pnpm modes intact. Glob support intentionally covers common single-star workspace patterns such as packages/*.

Non-goals

• No changes to Yarn or pnpm workspace behavior.
• No full npm glob implementation or new glob dependency.

[jojosenthusiast]

check-pr appears to be failing before it reaches PR validation.

The failing step is actions/checkout@v4 trying to check out sourcegraph/devx-service, then failing while retrieving the default branch with Bad credentials - https://docs.github.com/rest. This PR is from a fork, and I do not have permission to rerun the workflow (gh run rerun --failed requires repo admin rights).

The PR-specific local checks listed in the body are green on my side. If a maintainer can rerun or refresh the workflow credentials, that should separate the infra/auth issue from the PR diff.