fix(security): suppress prototype-pollution-loop false positive in check-types-sync.ts (#298)

The scheduled `mise run security` suite is RED on main because semgrep's
`prototype-pollution-loop` rule flags scripts/check-types-sync.ts:286:

    value = (value as Record<string, unknown>)[seg];

This is a false positive. resolveConstantsReference walks a property
chain *down* SHARED_CONSTANTS (the build-time-trusted contracts/constants.json):
it reads value[seg] and reassigns the local `value`, and never assigns to
any object property, so there is no prototype-pollution sink. The `seg`
keys come from this script's own TypeScript AST, not external input.

Suppress inline with a justified nosemgrep, matching the repo convention
(cli/src/commands/submit.ts:232, agent/src/config.py:165). Keeping it
inline leaves every other prototype-pollution site gated.

Verified: `semgrep scan --config auto scripts/check-types-sync.ts` now
reports 0 findings (0 blocking).

Closes #283
Refs #297

Author: theagenticguy

scripts/check-types-sync.ts

@@ -283,6 +283,7 @@ function resolveConstantsReference(
   let value: unknown = SHARED_CONSTANTS;
   for (const seg of segments) {
     if (value == null || typeof value !== 'object') return undefined;
+    // nosemgrep: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop -- read-only walk down build-time-trusted contracts/constants.json; `seg` keys come from this script's own TS AST, not external input, and no object property is ever assigned (value is reassigned, never written).
     value = (value as Record<string, unknown>)[seg];
   }
   if (value == null || typeof value === 'object') return undefined;