Add security scanning workflow (CodeQL + dependency-review + OSV)

[jmcte]

Context

docs/omt-global-ci-cd-audit-2026-04-14.md flags the absence of a centralized security-scan lane as one of the highest-risk org-wide findings and explicitly names this repo as the natural source for reusable security workflows:

the current template still stops at fast-checks plus validate-secrets; it does not yet centralize dependency review, CodeQL, Semgrep, or OSV in a reusable security workflow.

The repo currently has Dependabot (.github/dependabot.yml) and scripts/check-detect-secrets.sh, but no CodeQL, dependency-review, or OSV scanning workflow.

Scope

• Add .github/workflows/security.yml (or codeql.yml + dependency-review.yml) that runs:
  • CodeQL for JavaScript/TypeScript (and Python where relevant)
  • actions/dependency-review-action on pull requests
  • OSV scanner against the lockfile on pull requests and on a nightly cron
• Run on hosted runners only (audit target state: rg-security, never general-purpose persistent runners).
• Surface findings in the Security tab; do not make the new workflow a required PR status check (per CLAUDE.md guardrail: keep CI Gate as the single required check).

Acceptance Criteria

• CodeQL results appear under the repo's Security tab on PRs touching source.
• Dependency-review fails PRs that introduce high-severity vulnerable transitive deps.
• OSV nightly run posts/uploads a SARIF report.
• Workflow runs on ubuntu-latest, not on self-hosted runners.
• CI Gate remains the only required status check.

Related

• Audit doc: docs/omt-global-ci-cd-audit-2026-04-14.md (Wave 4)
• Roadmap follow-on: shell-safe workflow cookbook Publish a shell-safe workflow cookbook and compatibility matrix #28