feat(security): add CodeQL analysis workflow and ESLint security plugins

.gitignore

@@ -36,6 +36,11 @@ public/sitemap.xml
 # Generated by scripts/generate-security-headers.mjs at build time
 security-headers.conf
 
+# CodeQL local scan artifacts (npm run security:codeql)
+codeql-db/
+codeql-results.sarif
+codeql-results.csv
+
 #backup
 .seo-backup
 libreoffice-wasm-package