[codex] add self-sustaining pipeline

[netopsengineer]

Summary

Adds the self-sustaining dependency and quality pipeline described in docs/self-sustaining-pipeline-plan.md.

Changes

• Adds locked npm tooling state with .npmrc, package.json, and package-lock.json for cspell, markdownlint-cli2, and markdown-table-formatter.
• Converts npm-backed pre-commit hooks to local npx --no-install hooks.
• Updates CI with npm install, Node LTS, concurrency, weekly scheduled runs, and scheduled failure issue reporting.
• Replaces Dependabot configuration with daily grouped/cooldown updates for GitHub Actions, Docker, pre-commit, and npm.
• Adds a Dependabot auto-merge workflow that approves Dependabot PRs and enables squash auto-merge after required checks pass.
• Removes the legacy pre-commit autoupdate workflow.

GitHub Settings Already Applied

• Enabled auto-merge, update branch, delete branch on merge, and squash merge.
• Disabled merge commits and rebase merges.
• Kept Actions default token permissions read-only and can_approve_pull_request_reviews=true.
• Created required labels: github-actions, docker, pre-commit, npm, ci-scheduled.
• Updated the active Default branch ruleset to require the lint GitHub Actions check with strict_required_status_checks_policy=false, while preserving the existing one-review PR rule and squash-only merge method.

Validation

Passed:

• npm ci
• npx --no-install cspell --config cspell.json .
• npx --no-install markdownlint-cli2 --config .markdownlint-cli2.jsonc "**/*.md" "#node_modules"
• prek run check-yaml --files .github/workflows/ci.yml .github/workflows/dependabot-auto-merge.yml .github/dependabot.yml .pre-commit-config.yaml
• prek run actionlint --files .github/workflows/ci.yml .github/workflows/dependabot-auto-merge.yml
• prek run cspell --files .github/workflows/ci.yml .github/workflows/dependabot-auto-merge.yml .github/dependabot.yml .pre-commit-config.yaml docs/self-sustaining-pipeline-plan.md docs/self-sustaining-pipeline-goal.md package.json package-lock.json cspell.json
• prek run markdownlint-cli2 --files docs/self-sustaining-pipeline-plan.md docs/self-sustaining-pipeline-goal.md README.md CLAUDE.md
• git diff --check

Partially blocked locally:

• prek run --all-files and make lifecycle pass all non-Docker hooks but fail at make lifecycle because the local Docker daemon is not reachable at /Users/joswatki/.docker/run/docker.sock. docker info confirms the Docker client is installed but no server is reachable. The GitHub-hosted Ubuntu runner should have Docker available for the CI check.