From bc0ac2ef34becaecc67091f7222e5ab9f635550b Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 17 Dec 2025 23:24:44 +0000
Subject: [PATCH] fix(security): SHA-pin denoland/setup-deno and enable CodeQL

- Pin denoland/setup-deno@v2 to SHA (e95548e, v2.0.3)
- Enable CodeQL security scanning for JavaScript/TypeScript
- Add .well-known/security.txt for RFC 9116 compliance
- Update Deno version to v2.x in CI workflow
- Update STATE.scm with security hardening session
---
 .github/workflows/codeql.yml           | 41 ++++++++++++++++++++++----
 .github/workflows/rescript-deno-ci.yml |  6 ++--
 .well-known/security.txt               |  9 ++++++
 STATE.scm                              | 17 +++++++++--
 4 files changed, 62 insertions(+), 11 deletions(-)
 create mode 100644 .well-known/security.txt

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c3415a9..69dc15b 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,15 +1,46 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
-# CodeQL disabled - no scannable source code detected
+# CodeQL scans ReScript-compiled JavaScript for security vulnerabilities
 name: CodeQL Security Analysis
 
 on:
-  workflow_dispatch:  # Manual trigger only
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday 6am UTC
 
 permissions: read-all
 
 jobs:
-  placeholder:
+  analyze:
     runs-on: ubuntu-latest
-    if: false
+    permissions:
+      security-events: write
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript-typescript']
+
     steps:
-      - run: echo "Enable when source code is added"
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Build ReScript to JavaScript
+        run: |
+          if [ -f "rescript.json" ] || [ -f "bsconfig.json" ]; then
+            npm install
+            npx rescript || true
+          fi
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/rescript-deno-ci.yml b/.github/workflows/rescript-deno-ci.yml
index 367386d..735586f 100644
--- a/.github/workflows/rescript-deno-ci.yml
+++ b/.github/workflows/rescript-deno-ci.yml
@@ -11,9 +11,9 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: denoland/setup-deno@v2
+      - uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2.0.3
         with:
-          deno-version: v1.x
+          deno-version: v2.x
       
       - name: Deno lint
         run: deno lint
@@ -40,7 +40,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: denoland/setup-deno@v2
+      - uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2.0.3
       - name: Check permissions
         run: |
           # Audit for dangerous permissions
diff --git a/.well-known/security.txt b/.well-known/security.txt
new file mode 100644
index 0000000..f94714d
--- /dev/null
+++ b/.well-known/security.txt
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# RFC 9116 security.txt for grimrepo-scripts
+# Reference: https://securitytxt.org/
+
+Contact: https://github.com/hyperpolymath/grimrepo-scripts/security/advisories/new
+Expires: 2026-12-17T00:00:00.000Z
+Preferred-Languages: en
+Canonical: https://github.com/hyperpolymath/grimrepo-scripts/.well-known/security.txt
+Policy: https://github.com/hyperpolymath/grimrepo-scripts/security/policy
diff --git a/STATE.scm b/STATE.scm
index ba5bf36..d7473ce 100644
--- a/STATE.scm
+++ b/STATE.scm
@@ -15,7 +15,7 @@
   '((version . "0.1.0")
     (schema-version . "1.0")
     (created . "2025-12-15")
-    (updated . "2025-12-15")
+    (updated . "2025-12-17")
     (project . "grimrepo-scripts")
     (repo . "github.com/hyperpolymath/grimrepo-scripts")))
 
@@ -68,7 +68,10 @@
      ("RSR-compliant CI/CD pipeline"
       "Multi-platform mirroring (GitHub, GitLab, Bitbucket)"
       "SPDX license headers on all files"
-      "SHA-pinned GitHub Actions"))))
+      "SHA-pinned GitHub Actions (100% compliant)"
+      "RFC 9116 security.txt compliance"
+      "CodeQL security scanning for JavaScript/TypeScript"
+      "OSSF Scorecard integration"))))
 
 ;;;============================================================================
 ;;; ROUTE TO MVP
@@ -151,6 +154,14 @@
 
 (define session-history
   '((snapshots
+     ((date . "2025-12-17")
+      (session . "security-hardening")
+      (accomplishments
+       ("SHA-pinned denoland/setup-deno@v2 → v2.0.3"
+        "Created .well-known/security.txt (RFC 9116 compliance)"
+        "Enabled CodeQL security scanning for ReScript/JavaScript"
+        "Updated Deno version to v2.x in CI"))
+      (notes . "Security audit and SCM hardening completed"))
      ((date . "2025-12-15")
       (session . "initial-state-creation")
       (accomplishments
@@ -189,6 +200,6 @@
     (next-milestone . "v0.2 - Core Functionality")
     (critical-blockers . 0)
     (high-priority-issues . 0)
-    (updated . "2025-12-15")))
+    (updated . "2025-12-17")))
 
 ;;; End of STATE.scm