docs(dev-cycle): #126 — add §4.5.6 Workflow security hardening

[Knapp-Kevin]

Summary

Closes #126.

Adds a new subsection §4.5.6 Workflow security hardening to docs/DEV_CYCLE.md capturing the durable CI-author principles the #114 audit asked us to document. Pure additive — no existing content modified, 91 insertions / 0 deletions.

What's in the new section

• Why this section exists — the CI lint for unstructured references in plan files and PR bodies #114 / PR feat(#114): CI grounding lint — plan paths + PR-body refs #121 audit context (OWASP A03 in a draft workflow), with a pointer to the canonical inline case study at .github/workflows/pr-body-refs-lint.yml.
• Workflow input handling — contributor-editable fields are user input; os.environ over echo "$VAR"; the command-substitution hazard inside double-quoted shell strings.
• Trigger choice — pull_request (default-safe) vs pull_request_target (privileged, fork-unsafe) vs workflow_dispatch (escape hatch).
• Permissions scoping — least privilege at the workflow level, widen per-job.
• Required-check deadlocks — the paths: + branch-protection interaction (bicameral-daemon#37 / Add workflow_dispatch trigger to test-schema-persistence.yml #123), and the workflow_dispatch: mitigation.
• Anchor case studies — links to pr-body-refs-lint.yml, lint_pr_body_refs.py, Add workflow_dispatch trigger to test-schema-persistence.yml #123, and label-merged-to-dev workflow fails with 'Resource not accessible by integration' on some PRs #115 so the section stays an index rather than duplicating per-workflow detail.

Acceptance check

• New section captures the four principles named in the issue body
• References the existing inline note at .github/workflows/pr-body-refs-lint.yml rather than restating it
• Numbering preserved (§4.5.1 → … → §4.5.5 → §4.5.6 → §4.6)
• No top-level TOC in this doc to update (verified)
• Relative markdown links validated (../.github/... from docs/DEV_CYCLE.md)

Backward compatibility

• Data migration: N/A — pure docs.
• Wire format: N/A — no tool change.
• Skill contract: N/A — no skill change.

Risk

L1 — additive documentation.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5398938e-828a-47a4-8c17-be8d08b27a76

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/126-ci-hardening-section

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}