feat: add workflow audit pack with real-case validation

[jonathansantilli]

Summary

• add a new workflow audit pack that scans GitHub workflow, action, and dependabot artifacts
• introduce detector waves A-E covering unpinned refs, dangerous triggers, permission misuse, template injection, secret handling, obfuscation, bot-condition bypass patterns, dependabot execution/cooldown risks, and more
• add parser/foundation modules for workflow/action/dependabot data extraction and detector registry wiring
• expand CLI/help/docs to expose workflow audit usage and collection options
• add a local real-case corpus plus parity checklist and parity contract tests

Why

• bring first-class CI/CD and automation-chain risk detection into normal codegate scan workflows
• keep findings grounded with real workflow/dependabot examples and enforce parity expectations through tests

Verification

• npm run typecheck
• npm test
• npm run lint
• npm run build

Notes

• unrelated untracked local artifacts were intentionally left out (.devcontainer/, docs/research/, docs/research.zip)