JS: Add support for threat models

[RasmusWL]

trafficstars

First many Python commits from https://github.com/github/codeql/pull/17203 -- this PR mostly follows the structure of that PR.

The most interesting aspect of this PR is that in ebb9f4a I was only able to meaningfully add ActiveThreatModelSource as the default source for some queries, since some of them rely on this pattern:

class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
  RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
}

and it's not quite clear how these should be migrated :thinking: This pattern is used in these 7 cases:

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

I'll also note that I only implemented support for the environment and commandargs so far, so stdin/file/database threat-models currently have no modeling.