Lucent-Financial-Group · AceHack · Apr 27, 2026 · Apr 27, 2026 · Apr 27, 2026 · Apr 27, 2026
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -86,6 +86,12 @@ on:
     # of landed PRs to go un-swept with the heavier query pack.
     - cron: '43 6 * * 2'
 
+# Top-level token permissions — least-privilege default per
+# Scorecard TokenPermissionsID. Per-job blocks below escalate
+# to specific scopes only where needed.
+permissions:
+  contents: read
+
 concurrency:
   # PR force-push supersedes the previous run. Schedule runs
   # carry a distinct ref (`refs/heads/main` on cron) so they
@@ -109,8 +115,10 @@ jobs:
     permissions:
       contents: read
       security-events: write
+      actions: read
     outputs:
       code_changed: ${{ steps.decide.outputs.code_changed }}
+      is_fork_pr: ${{ steps.decide.outputs.is_fork_pr }}
     steps:
       - name: Checkout (full history for diff)
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -138,18 +146,27 @@ jobs:
           BASE_REPO: ${{ github.repository }}
         run: |
           set -uo pipefail
+          # Default fork-PR flag false; set true if this is an
+          # external-contributor PR. Used downstream to gate the
+          # baseline-SARIF emit/upload steps off fork PRs whose
+          # GITHUB_TOKEN cannot write security-events (would 403).
+          is_fork_pr=false
           # Safe default: when unsure, run full analysis.
           decide_fallback_true() {
             echo "code_changed=true" >> "$GITHUB_OUTPUT"
+            echo "is_fork_pr=${is_fork_pr}" >> "$GITHUB_OUTPUT"
             exit 0
           }
           # push and schedule always run full analysis.
           if [ "${GH_EVENT}" = "push" ] || [ "${GH_EVENT}" = "schedule" ]; then
             decide_fallback_true
           fi
           # Fork-PR guard: skip the short-circuit on external
-          # contributor PRs (see HEAD_REPO comment above).
+          # contributor PRs (see HEAD_REPO comment above). Mark
+          # is_fork_pr so the baseline-SARIF steps below skip
+          # (their upload would 403 on the read-only fork token).
           if [ "${GH_EVENT}" = "pull_request" ] && [ -n "${HEAD_REPO}" ] && [ "${HEAD_REPO}" != "${BASE_REPO}" ]; then
+            is_fork_pr=true
             decide_fallback_true
           fi
           if [ "${GH_EVENT}" = "pull_request" ]; then
@@ -171,43 +188,89 @@ jobs:
           # build props, the GitHub Actions workflows that
           # CodeQL's `actions` language leg covers, the
           # CodeQL workflow/config themselves (a change to
-          # either MUST rerun the real analysis), and the
-          # toolchain install script (affects the csharp build).
+          # either MUST rerun the real analysis), the
+          # toolchain install script (affects the csharp build),
+          # plus Python and JavaScript/TypeScript sources for
+          # the `python` and `javascript-typescript` analyze
+          # legs.
           #
           # Note: `case` pattern `*` matches across `/` in bash,
           # so `src/*` covers any depth under `src/`.
           code_changed=false
           while IFS= read -r f; do
             [ -z "${f}" ] && continue
             case "${f}" in
-              src/*|test/*) code_changed=true ;;
+              # `tools/*` covers `tools/setup/*`, `tools/budget/*`,
+              # etc. — `*` after the slash matches across slashes
+              # in case patterns. Earlier branches kept a separate
+              # `tools/setup/*` line; collapsed here per shellcheck
+              # SC2222 (later pattern shadowed by earlier one).
+              src/*|tests/*|tools/*) code_changed=true ;;
               *.cs|*.fs|*.fsproj|*.csproj|*.sln) code_changed=true ;;
+              *.py|pyproject.toml|requirements*.txt) code_changed=true ;;
+              *.js|*.jsx|*.ts|*.tsx|*.mjs|*.cjs) code_changed=true ;;
+              package.json|package-lock.json|tsconfig*.json) code_changed=true ;;
               Directory.Build.props|Directory.Packages.props) code_changed=true ;;
               .github/workflows/*|.github/codeql/*) code_changed=true ;;
-              tools/setup/*) code_changed=true ;;
             esac
             [ "${code_changed}" = "true" ] && break
           done <<< "${changed}"
           echo "code_changed=${code_changed}" >> "$GITHUB_OUTPUT"
+          echo "is_fork_pr=${is_fork_pr}" >> "$GITHUB_OUTPUT"
 
-      # Docs-only branch: synthesise a minimal empty SARIF per
-      # language and upload each under the matching analyze-job
-      # category (/language:actions/ and /language:csharp/) so
-      # GitHub code scanning records "analysis ran, no new
-      # alerts" (SUCCESS aggregate check) rather than NEUTRAL.
+      # Aggregate-CodeQL baseline: synthesise a minimal empty SARIF
+      # per language and upload each under the matching analyze-job
+      # category (/language:actions/, /language:csharp/,
+      # /language:python/, /language:javascript-typescript/) so
+      # GitHub code scanning records "analysis ran, no new alerts"
+      # (SUCCESS aggregate check) rather than NEUTRAL.
+      #
+      # Why this runs UNCONDITIONALLY (not gated on docs-only):
+      # The aggregate `CodeQL` status check is set when path-gate's
+      # SARIF uploads complete, BEFORE the matrix `analyze` jobs
+      # finish. If we only emit on docs-only PRs, code-changed PRs
+      # leave the aggregate without input → NEUTRAL → trips the
+      # `code_quality` ruleset rule even though all per-language
+      # `Analyze (X)` checks pass. By emitting empty SARIF
+      # unconditionally, the aggregate gets a clean baseline early.
+      # The matrix analyses' REAL SARIF is uploaded later under the
+      # same `(commit, ref, category, tool)` key and replaces the
+      # empty baseline (per GitHub's SARIF-replace-by-key rule),
+      # so any real findings still surface as code-scanning alerts.
+      # The `code_quality severity:all` rule gates on alerts, not on
+      # the aggregate status, so real findings still block merges.
+      #
       # Categories must match the `analyze` matrix categories or
       # the code-scanning service treats them as unrelated
       # configurations. The `category:` action-param overrides
       # whatever `automationDetails.id` is in the SARIF, so the
-      # upload steps below set it explicitly per language.
-      - name: Emit no-findings SARIF (docs-only PRs)
-        if: steps.decide.outputs.code_changed != 'true'
+      # upload steps below set it explicitly per language. The
+      # `lang` loop must include every category the `analyze`
+      # matrix covers.
+      - name: Emit no-findings SARIF (aggregate-CodeQL baseline)
+        # Skip on fork PRs: their GITHUB_TOKEN cannot write
+        # security-events, so the upload steps below would 403
+        # and fail the workflow before `analyze` could run. The
+        # full `analyze` matrix is forced on fork PRs (see decide
+        # step) and uploads via its own pull_request_target /
+        # CodeQL-fallback path, so the baseline is unnecessary.
+        if: steps.decide.outputs.is_fork_pr != 'true'
         env:
           HEAD_SHA_ENV: ${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha || github.sha }}
         run: |
           set -euo pipefail
           mkdir -p sarif
-          for lang in actions csharp; do
+          # `java-kotlin` is included even though our `analyze` matrix
+          # doesn't cover it: GitHub Advanced Security still expects
+          # the category because main's history once carried it (the
+          # configuration is sticky per `refs/heads/main`). Without
+          # this empty baseline upload, the aggregate `CodeQL` check
+          # surfaces "1 configuration not found" and goes NEUTRAL,
+          # tripping the `code_quality` ruleset rule. Emitting empty
+          # SARIF for `/language:java-kotlin` satisfies the
+          # expectation; we have no Java/Kotlin source so empty is
+          # also correct.
+          for lang in actions csharp python javascript-typescript java-kotlin; do
             cat > "sarif/empty-${lang}.sarif" <<SARIF
           {
             "version": "2.1.0",
@@ -245,20 +308,55 @@ jobs:
       # action-param -- which overrides SARIF automationDetails --
       # can differ per file.
       - name: Upload no-findings SARIF (actions)
-        if: steps.decide.outputs.code_changed != 'true'
+        if: steps.decide.outputs.is_fork_pr != 'true'
         uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v4.35.2
         with:
           sarif_file: sarif/empty-actions.sarif
           category: "/language:actions"
 
       - name: Upload no-findings SARIF (csharp)
-        if: steps.decide.outputs.code_changed != 'true'
+        if: steps.decide.outputs.is_fork_pr != 'true'
         uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v4.35.2
         with:
           sarif_file: sarif/empty-csharp.sarif
           category: "/language:csharp"
 
+      - name: Upload no-findings SARIF (python)
+        if: steps.decide.outputs.is_fork_pr != 'true'
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v4.35.2
+        with:
+          sarif_file: sarif/empty-python.sarif
+          category: "/language:python"
+
+      - name: Upload no-findings SARIF (javascript-typescript)
+        if: steps.decide.outputs.is_fork_pr != 'true'
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v4.35.2
+        with:
+          sarif_file: sarif/empty-javascript-typescript.sarif
+          category: "/language:javascript-typescript"
+
+      - name: Upload no-findings SARIF (java-kotlin)
+        # No Java/Kotlin source in this repo, but main's history
+        # carries the configuration; satisfy the sticky expectation.
+        if: steps.decide.outputs.is_fork_pr != 'true'
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v4.35.2
+        with:
+          sarif_file: sarif/empty-java-kotlin.sarif
+          category: "/language:java-kotlin"
+
   analyze:
+    # Cadence note (maintainer 2026-04-27 + follow-up): the matrix
+    # `Analyze (X)` legs — especially `Analyze (csharp)` — were
+    # the per-PR bottleneck. An attempt to skip the matrix on PRs
+    # (keeping path-gate's empty-SARIF baseline as the aggregate
+    # signal) hit GitHub's `code_quality severity:all` ruleset
+    # rule which expects the per-language `Analyze (X)` status
+    # checks to actually appear on the PR — the merge gate kept
+    # showing "Code quality results are pending for 4 analyzed
+    # languages." Reverted to running the matrix on PR + push +
+    # schedule; cadence-fast-revisit deferred. macos-26 build +
+    # Windows legs in gate.yml stay on the per-merge cadence
+    # because they don't trip the same gate.
     name: Analyze (${{ matrix.language }})
     needs: path-gate
     if: needs.path-gate.outputs.code_changed == 'true'
@@ -279,6 +377,10 @@ jobs:
             build-mode: none
           - language: csharp
             build-mode: manual
+          - language: python
+            build-mode: none
+          - language: javascript-typescript
+            build-mode: none
 
     steps:
       - name: Checkout

diff --git a/.github/workflows/gate.yml b/.github/workflows/gate.yml
@@ -75,6 +75,44 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
+  # Dynamic matrix for build-and-test: pre-merge events (pull_request
+  # and merge_group) get Linux-only (production build path, fast —
+  # keeps PR checks and merge-queue runs short). Push-to-main /
+  # workflow_dispatch get the full set including macos-26
+  # (developer-experience verification) and the Windows experimental
+  # legs. Standard GitHub-hosted runners are free for public repos so
+  # the post-merge run has no cost downside.
+  matrix-setup:
+    name: matrix setup
+    runs-on: ubuntu-24.04
+    timeout-minutes: 1
+    outputs:
+      os: ${{ steps.set.outputs.os }}
+    steps:
+      - id: set
+        shell: bash
+        run: |
+          # Pre-merge (pull_request + merge_group): Linux production
+          # legs only (~3 min wall clock).
+          # Push-to-main / workflow_dispatch: full surface incl.
+          # macos-26 (developer-experience) + Windows legs
+          # (peer-harness milestone seeding per maintainer 2026-04-27 —
+          # "start the windows one as a per push to main too/merge to
+          # main, you can start slowly building that out before I get
+          # my windows laptop running the peer-mode agent, windows
+          # will be mostly ready and they can just clean it up").
+          # Windows legs are gated by `continue-on-error: true` at the
+          # build-and-test job level so initial failures (e.g. missing
+          # tools/setup/install.ps1) don't block per-merge runs while
+          # the peer-agent polishes the path.
+          if [ "${GH_EVENT}" = "pull_request" ] || [ "${GH_EVENT}" = "merge_group" ]; then
+            echo 'os=["ubuntu-24.04","ubuntu-24.04-arm"]' >> "$GITHUB_OUTPUT"
+          else
+            echo 'os=["ubuntu-24.04","ubuntu-24.04-arm","macos-26","windows-2025","windows-11-arm"]' >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          GH_EVENT: ${{ github.event_name }}
+
   build-and-test:
     # Final runner matrix (maintainer ask 2026-04-24): symmetric
     # across AceHack fork and LFG canonical — same legs run everywhere.
@@ -103,33 +141,41 @@ jobs:
     #                       Reference:
     # https://github.blog/changelog/2026-01-22-1-vcpu-linux-runner-now-generally-available-in-github-actions/
     #
-    # Deferred legs (commented, enable when Windows peer-harness
-    # milestone ships — maintainer's Windows machine available for
-    # second peer agent validation):
+    # Per-merge experimental legs (maintainer 2026-04-27 — replaces
+    # the prior 2026-04-24 deferral so Windows infrastructure is
+    # mostly-ready when the peer-mode agent comes online):
     #   - windows-2025      Windows Server 2025 x64 (4 CPU, 16 GB)
     #   - windows-11-arm    Windows 11 arm64 (4 CPU, 16 GB)
-    #
-    # Deferred: per maintainer 2026-04-24 "we can delay windows
-    # until i can test with a second peer agent on my windows
-    # machine." Uncomment both Windows legs when that milestone
-    # lands.
+    # These run only on push-to-main / schedule / workflow_dispatch
+    # (not on PR — same cadence as macos-26). They carry
+    # `continue-on-error: true` because no PowerShell install script
+    # exists yet (`tools/setup/install.ps1` TBD); failures are
+    # visible-but-not-blocking until the peer-agent polishes the
+    # path.
     #
     # fail-fast: false so one leg's failure doesn't cancel the
     # others — we want the full signal across the matrix.
+    #
+    # Per-PR / per-merge cadence split (maintainer 2026-04-27):
+    # - macos-26: developer-experience verification, NOT prod build.
+    #   Runs only on push-to-main + schedule + workflow_dispatch.
+    #   Same rationale as the Analyze (csharp) move below.
+    # - ubuntu-24.04 + ubuntu-24.04-arm: production build path; runs
+    #   on every PR + push-to-main.
+    # The matrix is built dynamically by `matrix-setup` so PR runs
+    # only get the Linux legs while push-to-main / schedule /
+    # workflow_dispatch run all three.
     name: build-and-test (${{ matrix.os }})
     timeout-minutes: 45
+    needs: matrix-setup
+    # Windows legs are experimental until tools/setup/install.ps1
+    # exists; mark them non-blocking so initial failures don't gate
+    # per-merge runs. Linux + macOS legs are blocking.
+    continue-on-error: ${{ startsWith(matrix.os, 'windows-') }}
     strategy:
       fail-fast: false
       matrix:
-        os:
-          - macos-26
-          - ubuntu-24.04
-          - ubuntu-24.04-arm
-          # ubuntu-slim moved to .github/workflows/low-memory.yml
-          # per maintainer 2026-04-27 — see header comment for rationale.
-          # Deferred until Windows peer-harness milestone:
-          # - windows-2025
-          # - windows-11-arm
+        os: ${{ fromJson(needs.matrix-setup.outputs.os) }}
     runs-on: ${{ matrix.os }}
 
     steps: