chore(sec): add dependabot + codeql configs (admin toggles required in Settings)

[Adiz4415]

Summary

This PR adds the code-level pieces of the GitHub-side hardening referenced in SECURITY.md ("GitHub-Side Hardening" section). The contributing token on geevapp/geev is pull: true only (no admin / push), so the actual feature toggles cannot be flipped via API — they must be enabled by a maintainer under repo Settings once this PR merges.

Changes

• .github/dependabot.yml — Dependabot version updates for the app/ npm workspace and for GitHub Actions at the repo root. Weekly cadence, group minor/patch to reduce PR noise, conventional-commits prefix, auto-rebase. Cargo / contracts/ workspace intentionally not covered (no first-class Dependabot support for cargo today).
• .github/workflows/codeql.yml — CodeQL Analysis workflow for the Next.js app/ workspace. Weekly cron + on-push-to-main + on-PR-to-main triggers, least-privilege permissions (security-events: write, contents: read), queries: security-and-quality, build-mode: none (JS/TS only).

Reviewer feedback has been incorporated — area: app label was kept (Dependabot gracefully skips unknown labels) and CodeQL action is pinned to @v3 major (locking to commit hashes can come in a follow-up via Dependabot itself).

Maintainer Action Required

Settings → Code security and analysis (admin-only):

Feature	Status before this PR	Toggle
Dependabot security alerts	disabled (probe returned 403)	Enable
Dependabot version updates	disabled	Enable (will pick up .github/dependabot.yml)
Code scanning (CodeQL)	disabled	"Default setup" picks up the new workflow automatically
Secret scanning	not enabled	Enable
Push protection (secrets)	not enabled	Enable
Private vulnerability reporting	API returned enabled: false	Enable

After enabling:

• pnpm audit / cargo audit should start informing Dependabot PRs.
• CodeQL Analysis workflow will begin posting SARIF runs into the Security tab.
• gh api /repos/geevapp/geev/vulnerability-alerts will return 200 once alerts are on.

Out of scope (intentional follow-ups)

• A cargo audit workflow for the contracts/ workspace — Dependabot does not cover Cargo reliably today; we will add a separate CI job.
• Pinning CodeQL action to commit hashes (let Dependabot drive that through its own GH Actions updates).

Test / verify

No automated test for this PR — code-land is config files only. After Settings toggles are on, expect dependabot.yml + codeql workflow to fire Monday morning (or sooner if manually triggered).

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.