[codex] configure fallow analysis

[KeKs0r]

Summary

• Add fallow configuration and a chkit convention plugin so Bun tests, Cloudflare Pages functions, Astro custom CSS, and the CLI E2E testkit are treated correctly by fallow.
• Add root fallow scripts for local/advisory PR preflight and future CI hard gating.
• Run the official fallow-rs/fallow@v2 action in the existing CI verify job and upload SARIF with CodeQL before the Turbo verification step.
• Remove two files that were verified as genuinely unused: packages/cli/src/bin/clickhouse-resource.ts and src/db/schema/example.ts.

Validation

• bun run typecheck passed.
• bun run fallow:pr ran as advisory output and exits successfully; it currently reports 2 existing unused-dependency findings in the changed scope.

Notes

• The existing local .gitignore edit adding .fallow was left unstaged and is not part of this PR.
• The local PR creation skill was updated to run bun run fallow:pr when present, but that skill change lives outside this repository and is not part of the PR diff.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.