chore(oss): ship CodeQL, CoC, CODEOWNERS coverage, and policy-block fallback

[stackbilt-admin]

Summary

Implements the OSS hygiene/security posture changes tracked in #166 and adds a documented fallback path for assistant policy blocks tracked in #172.

Shipped

• Added root CODE_OF_CONDUCT.md (Contributor Covenant 2.1, enforcement contact admin@stackbilt.dev)
• Added .github/workflows/codeql.yml for JS/TS code scanning on push/PR to main + weekly schedule
• Expanded .github/CODEOWNERS to include catch-all ownership + critical path overrides
• Updated SECURITY.md scope to include all 12 OSS packages
• Added CONTRIBUTING.md mitigation guidance for policy-blocked governance/security file edits

Why

• Close repo-level OSS trust gaps called out in oss: add CODE_OF_CONDUCT, CodeQL workflow, and expand CODEOWNERS coverage #166
• Prevent delivery stalls when model policy blocks defensive governance/security-posture file updates (blocker: Claude content filter blocks OSS security-posturing tasks (CodeQL, CODEOWNERS, CODE_OF_CONDUCT) #172)

Validation

• Verified file presence and content in repo:
  • CODE_OF_CONDUCT.md
  • .github/workflows/codeql.yml
  • .github/CODEOWNERS
  • SECURITY.md
  • CONTRIBUTING.md

Closes #166
Refs #172

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[stackbilt-admin]

Maintainer pass summary for #173:

• Scope check: exact oss: add CODE_OF_CONDUCT, CodeQL workflow, and expand CODEOWNERS coverage #166/blocker: Claude content filter blocks OSS security-posturing tasks (CodeQL, CODEOWNERS, CODE_OF_CONDUCT) #172 surface only (5 files, repo-hygiene + mitigation docs)
• Security/governance additions present: CODE_OF_CONDUCT.md, CodeQL workflow, expanded CODEOWNERS, SECURITY scope update
• Local mitigation documented: CONTRIBUTING.md includes policy-block fallback procedure

Blocking review item found and fixed in-branch:

• @Stackbilt-dev/charter-maintainers was an unknown CODEOWNERS owner on this repo branch.
• Fixed in commit 93d3047 by switching to resolvable owner @stackbilt-admin.
• Verified clean with:
  • GET /repos/Stackbilt-dev/charter/codeowners/errors?ref=feat/github-repo-hygiene -> {"errors":[]}

Merge readiness:

• Governance + CI are green.
• CodeQL is still updating in the check rollup at the time of this comment; merge once final required checks are green.