ci(codeql): rewire local model pack discovery — fix 1122f5a silent no-op

Two CodeQL runs (commits 1122f5a + c4157fd) since the initial Option A
landing both completed with conclusion=success but failed to dismiss
alert #23 (go/request-forgery on scep_probe.go:232). Root cause: the
local pack never loaded.

The bug was in codeql-config.yml — `packs: { go: ['./'] }` looked
plausible (the path is relative to the config file's directory) but
the `packs:` field requires pack NAMES, not paths. Discovery of
unpublished local packs goes through the codeql-action `init` step's
`additional-packs:` input, not through `packs:`.

Verified pattern by reading github/vscode-codeql's working
.github/codeql/ setup. The supported chain:

   workflow init step      passes additional-packs: <parent-dir>
                                        ↓
       CodeQL CLI           registers each pack under the parent
                                        ↓
   codeql-config.yml        names the pack in `packs: go: [name]`
                                        ↓
       CodeQL CLI           resolves the name → pack on disk
                                        ↓
   pack's qlpack.yml        declares extensionTargets: codeql/go-all
                                        ↓
   data extension YAML      auto-loads, applies the barrier rows

Restructure to match this chain:

  Before                                    After
  --------                                  -----
  .github/codeql/qlpack.yml                .github/codeql/codeql-config.yml
  .github/codeql/models/                   .github/codeql/certctl-models/
    request-forgery-sanitizers.model.yml     qlpack.yml
  .github/codeql/codeql-config.yml           models/
                                               request-forgery-sanitizers.model.yml

The new `.github/codeql/certctl-models/` is the pack directory, named
to match `name: shankar0123/certctl-models` in qlpack.yml. Its parent
`.github/codeql/` is what additional-packs points at. The action
discovers the pack by walking the parent dir, sees the qlpack.yml,
registers the name, and `packs:` lookup succeeds.

Three concrete changes:

  - Pack moves from .github/codeql/{qlpack.yml, models/} into the
    sibling subdirectory .github/codeql/certctl-models/.

  - codeql-config.yml's packs: directive now uses the pack NAME
    (`shankar0123/certctl-models`) instead of the broken `./` path.

  - codeql.yml's Initialize CodeQL step gains
    `additional-packs: .github/codeql` so the CLI's resolver knows
    where to find unpublished packs.

Belt-and-suspenders correctness fix: the model row's `subtypes`
column now uses `False` (Python-style capitalized) instead of `false`
to match every shipped CodeQL Go .model.yml convention. SnakeYAML
accepts lowercase too — this is a hedge against any strict-format
tooling in the path.

Why this matters: alert #23 is rated Critical with CWE-918 + CWE-180.
The runtime defense is correct (validate-then-pin via
ValidateSafeURL + SafeHTTPDialContext), but the analyzer doesn't
know it. With the pack actually loading this time, the next CodeQL
run will see the barrier and dismiss the alert at source. Same fix
implicitly applies to the webhook notifier's outbound client.Do
(the second site that uses ValidateSafeURL).

Operator: push and watch the next CodeQL run dismiss alert #23. If
it doesn't, the next iteration will be on the YAML row's column
shape — most likely a one-line tweak, not another redesign.

.github/codeql/codeql-config.yml

@@ -7,9 +7,10 @@
 #     so that disabling the action's default suite via `disable-default-
 #     queries: true` doesn't accidentally drop coverage.
 #
-#  2. Load the local model pack at .github/codeql/, which adds project-
-#     specific Models-as-Data extensions (sanitizers, sinks, summaries)
-#     for the standard Go queries. See ./qlpack.yml for the full motivation.
+#  2. Load the local model pack at .github/codeql/certctl-models/, which
+#     adds project-specific Models-as-Data extensions (barriers, sinks,
+#     summaries) for the standard Go queries. See
+#     certctl-models/qlpack.yml for the full motivation.
 #
 # Path-ignore is intentionally empty — every path that ships with the
 # repo is in scope. Test files are NOT excluded; if a vulnerability
@@ -25,12 +26,16 @@ name: certctl-codeql
 queries:
   - uses: security-and-quality
 
-# Load the local model pack. This is what makes the SSRF sanitizer
-# barrier rows in models/request-forgery-sanitizers.model.yml apply to
-# the standard go/request-forgery query.
+# Load the local model pack BY NAME. The action's `init` step resolves
+# this name against the path it was given via `additional-packs: .github/
+# codeql` — that path is the parent directory of certctl-models/, where
+# the pack's qlpack.yml declares `name: shankar0123/certctl-models`.
 #
-# `${{ }}` is not used here — the path is relative to the config file's
-# directory, not to the repo root, per CodeQL action docs.
+# An earlier draft used `packs: { go: ['./'] }` (a relative path). That's
+# the wrong syntax — the `packs:` field expects pack NAMES, not paths.
+# Local-by-path is not supported here; the discovery happens via
+# additional-packs + name lookup. Verified against the github/vscode-codeql
+# working setup.
 packs:
   go:
-    - ./
+    - shankar0123/certctl-models