Add security scanning to CI (npm audit + CodeQL)

## Problem

The CI pipeline has no security scanning. Known vulnerabilities in dependencies go undetected, and there is no static analysis for common security issues (XSS, injection, etc.) in the codebase.

## Scope of Work

### 1. Add `npm audit` step to existing CI workflow

Add a step to `.github/workflows/ci.yml` after `npm ci`:

```yaml
- name: Security audit
  run: npm audit --audit-level=high
```

This fails the build if any high or critical vulnerabilities are found.

### 2. Add CodeQL analysis workflow

Create `.github/workflows/codeql.yml`:
- Trigger on push to main, PRs to main, and weekly schedule (for new CVE detection)
- Language: `javascript-typescript`
- Use `github/codeql-action/init`, `github/codeql-action/autobuild`, `github/codeql-action/analyze`

## Acceptance Criteria

- [ ] `npm audit --audit-level=high` runs in CI and fails on high/critical vulnerabilities
- [ ] `.github/workflows/codeql.yml` exists and runs successfully
- [ ] CodeQL results appear in the repository's Security tab
- [ ] Both checks pass on the current main branch (fix any existing audit issues first if needed)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add security scanning to CI (npm audit + CodeQL) #37

Problem

Scope of Work

1. Add `npm audit` step to existing CI workflow

2. Add CodeQL analysis workflow

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add security scanning to CI (npm audit + CodeQL) #37

Description

Problem

Scope of Work

1. Add npm audit step to existing CI workflow

2. Add CodeQL analysis workflow

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

1. Add `npm audit` step to existing CI workflow