Refresh v1.2 dependency security pins

[SynapseOpsAgent]

Summary

• Replaces the Dependabot-authored updates with an organization-authored branch for the v1.2.0 release candidate.
• Updates CodeQL action init/analyze pins from v4.35.5 to v4.36.0.
• Updates the example MCP server NumPy floor from 2.4.5 to 2.4.6.

Verification

• Inspected Dependabot PRs Bump github/codeql-action from 4.35.5 to 4.36.0 in /.github/workflows #42 and Update numpy requirement from >=2.4.5 to >=2.4.6 in /examples/mcp_server #43 read-only.
• Recreated the dependency changes manually from the v1.2 release branch.
• bun install --frozen-lockfile
• bun run lint
• BRAINCORE_TENANT=test-tenant bun test
• ruff check mcp/ examples/mcp_server/ scripts/ tests/
• MCP example import with NumPy 2.4.6
• Isolated Postgres/pgvector migration plus python -m pytest tests/
• python benchmarks/verify_tool_index.py --tool-index .agents/TOOL_INDEX.yaml
• python benchmarks/verify_claims_to_evidence.py --readme README.md --claims benchmarks/claims-to-evidence.yaml
• bun run memory-policy:check
• bun audit
• pip-audit -r examples/mcp_server/requirements.txt
• bun run sanitize:check

Public-boundary review

• Changed files are limited to the CodeQL workflow and example MCP server requirements.
• No secrets, internal hostnames, private URLs, local paths, generated artifacts, unrelated churn, or public claim text changes were added.

Replacement for Dependabot PRs #42 and #43. Those PRs should be closed unmerged per maintainer policy.