ci: replace CodeQL Default Setup with custom Advanced Setup workflow

[Copilot]

GitHub's CodeQL Default Setup (dynamic/github-code-scanning/codeql) was intermittently failing during init with HttpError: Requires authentication when it calls the GitHub REST API to check "feature enablement" (ML-enhanced query availability). This aborts the job before any analysis runs.

Changes

• .github/workflows/codeql.yml — new custom CodeQL workflow (Advanced Setup) for javascript-typescript:
  • Runs on push/PR to trunk and weekly schedule
  • Explicit security-events: write permission
  • build-mode: none (correct for JS/TS)
  • Job name Analyze (${{ matrix.language }}) preserves the check run name that branch protection rules reference
  • No feature-enablement API call — Advanced Setup skips that Default Setup-specific check entirely
  • GitHub automatically disables Default Setup for covered languages when a custom workflow is present, so there's no duplication