ci: add push/PR test gate + CodeQL to the public packages repo

eleanor4devs-public previously had ONLY publish-all.yml, so the @eleanor4devs/*
package tests ran only at publish time — not on push. That is how the
install_hygiene break (Linux-only, skipped on the Windows dev box) reached the
publish gate instead of being caught at its introducing push.

- ci.yml: on push + PR to main, Node 20 + 22 — npm ci -> lint -> build ->
  typecheck -> npm test (ELEANOR4DEVS_SKIP_LIVE_NPM=1). Same step order as
  publish-all.yml's pre-publish gate, so CI mirrors the publish gate.
- codeql.yml: javascript-typescript static analysis on push + PR + weekly,
  mirroring the sibling public repo kychee-com/run402-mcp.

Brings eleanor4devs-public in line with run402-mcp (which already runs
test.yml + codeql.yml on push). Verified the full sequence green locally first
(lint/build/typecheck/test all exit 0).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: volinskey

.github/workflows/ci.yml

@@ -0,0 +1,65 @@
+name: CI
+
+# Regression gate for the @eleanor4devs/* packages. Runs the FULL test +
+# typecheck suite on every PR and every push to main — so package breakage is
+# caught at push time, not only at /publish (publish-all.yml's pre-publish
+# gate). Mirrors the convention used by the sibling public repo
+# kychee-com/run402-mcp (its test.yml) and the private repo's ci.yml.
+#
+# A workflow running is NOT the same as a workflow blocking: to make this a
+# required check (red CI prevents a merge), enable branch protection on `main`
+# requiring the "CI / Node / TypeScript (20)" + "(22)" checks
+# (Settings -> Branches, or `gh api`). See the repo's release docs.
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  node:
+    name: Node / TypeScript
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node: [20, 22]
+    env:
+      # Live-network tests (npm_published, cli_auth_live, cli_version_live,
+      # voice_deploy, marketing_site) verify ALREADY-published/deployed
+      # artifacts — they are post-publish checks, not pre-merge gates. Skip
+      # them here, exactly as publish-all.yml's pre-publish test step does.
+      ELEANOR4DEVS_SKIP_LIVE_NPM: "1"
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node ${{ matrix.node }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node }}
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      # Build BEFORE test: several tests spawn the built binary
+      # (node packages/<pkg>/dist/cli.js), so dist/ must exist first — same
+      # ordering as publish-all.yml's pre-test build step.
+      - name: Build all packages
+        run: npm run build --workspaces --if-present
+
+      - name: Type-check (tsc — src + tests, incl. expectTypeOf)
+        run: npm run typecheck --workspaces --if-present
+
+      - name: Test (all workspaces)
+        run: npm test

.github/workflows/codeql.yml

@@ -0,0 +1,24 @@
+name: CodeQL
+
+# Static security analysis for the @eleanor4devs/* package sources. Mirrors the
+# sibling public repo kychee-com/run402-mcp's codeql.yml: on push + PR to main,
+# plus a weekly scheduled scan. Free for public repos.
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+      - uses: github/codeql-action/analyze@v3