chore: harden dependency supply chain

[mnaimfaizy]

Summary

• pin direct npm dependencies to exact reviewed versions, declare the repo npm-only, add .npmrc policy defaults, and block the compromised Axios releases 1.14.1 and 0.30.4 via package.json overrides
• harden CI by pinning third-party actions to full SHAs, adding dependency review and secure install review jobs, and verifying that package-lock.json stays frozen after every npm ci
• add repository governance and documentation for dependency security with docs/SECURITY, SECURITY.md, CODEOWNERS, Dependabot configuration, and dependency-specific Copilot instructions
• keep the small source and test fixes needed to return the branch to a clean validated state after the security and dependency changes

Validation

• npm audit --json reports 0 known vulnerabilities
• npm run lint
• npm run test:run
• npm run build

Notes

• the current lockfile does not include Axios, but the overrides prevent the compromised releases from being selected if Axios is introduced directly or transitively later
• the repo intentionally does not enable blanket ignore-scripts=true because the current toolchain still relies on reviewed install-time packages such as esbuild and @tailwindcss/oxide; instead, CI now performs a metadata-only npm ci --ignore-scripts review stage before normal install-and-build jobs