chore(ci): restore CodeQL workflow (repo is now public)

[ElMatiOfficial]

Reverses #38. Now that the repo is public, CodeQL is free and the original workflow works unchanged — no more "Code scanning is not enabled for this repository" red.

Changes

• `.github/workflows/codeql.yml` restored bitwise from commit 21e186c (the PR that first introduced it). Keeps history bisect-friendly.
• `docs/DEPLOYMENT.md` and `docs/SECURITY_ARCHITECTURE.md` reverted to their pre-chore(ci): remove CodeQL workflow until repo is public #38 wording.

Test plan

• CI: the 5 existing jobs stay green.
• NEW: `Analyze (javascript-typescript)` runs and passes — first time since CodeQL was removed. Uploaded SARIF should show up at Security → Code scanning alerts.
• Any findings CodeQL surfaces: each gets its own issue; none block this PR.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.