Review SCM files and security updates

.github/workflows/codeql.yml

@@ -1,15 +1,46 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
-# CodeQL disabled - no scannable source code detected
+# CodeQL scans ReScript-compiled JavaScript for security vulnerabilities
 name: CodeQL Security Analysis
 
 on:
-  workflow_dispatch:  # Manual trigger only
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday 6am UTC
 
 permissions: read-all
 
 jobs:
-  placeholder:
+  analyze:
     runs-on: ubuntu-latest
-    if: false
+    permissions:
+      security-events: write
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript-typescript']
+
     steps:
-      - run: echo "Enable when source code is added"
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Build ReScript to JavaScript
+        run: |
+          if [ -f "rescript.json" ] || [ -f "bsconfig.json" ]; then
+            npm install
+            npx rescript || true
+          fi
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/rescript-deno-ci.yml

@@ -11,9 +11,9 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: denoland/setup-deno@v2
+      - uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2.0.3
         with:
-          deno-version: v1.x
+          deno-version: v2.x
 
       - name: Deno lint
         run: deno lint
@@ -40,7 +40,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: denoland/setup-deno@v2
+      - uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2.0.3
       - name: Check permissions
         run: |
           # Audit for dangerous permissions

.well-known/security.txt

@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# RFC 9116 security.txt for grimrepo-scripts
+# Reference: https://securitytxt.org/
+
+Contact: https://github.com/hyperpolymath/grimrepo-scripts/security/advisories/new
+Expires: 2026-12-17T00:00:00.000Z
+Preferred-Languages: en
+Canonical: https://github.com/hyperpolymath/grimrepo-scripts/.well-known/security.txt
+Policy: https://github.com/hyperpolymath/grimrepo-scripts/security/policy

STATE.scm

@@ -15,7 +15,7 @@
   '((version . "0.1.0")
     (schema-version . "1.0")
     (created . "2025-12-15")
-    (updated . "2025-12-15")
+    (updated . "2025-12-17")
     (project . "grimrepo-scripts")
     (repo . "github.com/hyperpolymath/grimrepo-scripts")))
 
@@ -68,7 +68,10 @@
      ("RSR-compliant CI/CD pipeline"
       "Multi-platform mirroring (GitHub, GitLab, Bitbucket)"
       "SPDX license headers on all files"
-      "SHA-pinned GitHub Actions"))))
+      "SHA-pinned GitHub Actions (100% compliant)"
+      "RFC 9116 security.txt compliance"
+      "CodeQL security scanning for JavaScript/TypeScript"
+      "OSSF Scorecard integration"))))
 
 ;;;============================================================================
 ;;; ROUTE TO MVP
@@ -151,6 +154,14 @@
 
 (define session-history
   '((snapshots
+     ((date . "2025-12-17")
+      (session . "security-hardening")
+      (accomplishments
+       ("SHA-pinned denoland/setup-deno@v2 → v2.0.3"
+        "Created .well-known/security.txt (RFC 9116 compliance)"
+        "Enabled CodeQL security scanning for ReScript/JavaScript"
+        "Updated Deno version to v2.x in CI"))
+      (notes . "Security audit and SCM hardening completed"))
      ((date . "2025-12-15")
       (session . "initial-state-creation")
       (accomplishments
@@ -189,6 +200,6 @@
     (next-milestone . "v0.2 - Core Functionality")
     (critical-blockers . 0)
     (high-priority-issues . 0)
-    (updated . "2025-12-15")))
+    (updated . "2025-12-17")))
 
 ;;; End of STATE.scm