Add standalone connector docs verification workflow

[gontzess]

Why

The new connector docs process needs a required docs safety check on every standard connector repo, including repos that do not use the managed Verify workflow. Coupling that policy to Verify would either leave some repos out or silently add unrelated lint/test behavior.

What this changes

Adds a standalone reusable connector docs workflow that reports a stable connector-docs / validate check. The workflow uses the pull request changed-files API to skip unchanged docs, validates docs/connector.mdx when it changes, and fails if the file was removed.

The MDX validator now rejects unsafe constructs before compile: imports/exports, expression braces outside code, event-handler attributes, dangerous URL schemes, unsupported JSX tags, NUL/BOM, and malformed fences. The workflow installs pinned MDX tooling before checking out caller code, disables npm scripts, uses read-only permissions, and does not persist checkout credentials.

This keeps the existing Verify workflow compatibility path intact, only adding Check to its component allowlist. The standalone workflow should be released before baton-admin adds caller workflows, and the required status check should only be enabled after connector PRs show connector-docs / validate on both docs and non-doc changes.

Validation

• git diff --check
• parsed workflow YAML with yq
• node --check tools/mdx-lint/mdx-lint.mjs
• ran MDX lint against a real connector doc
• verified malicious URL, event handler, raw script tag, and indented fake fence cases fail