ci: lock CodeQL out of org defaults

[haasonsaas]

Summary

• record the live EvalOps org security configuration as secret-protection-only instead of broad Advanced Security
• require code_scanning_default_setup: disabled in the org control-plane contract
• add verifier/test coverage so org-default edits fail if CodeQL/default code scanning comes back

Live verification

• Updated org code security configuration 245233 to advanced_security: secret_protection and code_scanning_default_setup: disabled at 2026-05-21T04:32:19Z
• Confirmed config 245233 is default for all new repos and all attached repos are enforced
• Confirmed code search has no github/codeql-action or codeql hits under path:.github/workflows
• Confirmed generated CodeQL workflow disable API still returns GitHub 422, so those workflow objects are tombstones; latest generated runs in platform/cerebro/chat predate the stronger org-config update

Test Plan

• ruby .github/scripts/verify-org-control-plane-contract.rb --json-output /tmp/org-control-plane-contract-report.json --markdown-output /tmp/org-control-plane-contract-report.md
• ruby -Itest test/verify_org_control_plane_contract_test.rb
• ruby -Itest -e 'ARGV.each { |path| require "./#{path}" }' test/*_test.rb
• ruby .github/scripts/audit-engineering-practices.rb --contract-only
• git diff --check