feat: Decadal G-SIFI AGI/ASI Governance Roadmap (2026-2035) & CI/CD Security Hardening

- Implemented comprehensive Decadal Roadmap (2026-2035) for G-SIFIs.
- Established Technical Architecture v2.4 (Sentinel/Omni-Sentinel Mesh).
- Integrated StaR-MoE (SARA/ACR), PQC-WORM (FIPS 204), and ZK-Proofs.
- Added machine-readable OSCAL 1.1.2 technical requirement artifacts.
- Hardened CI Security: Pinned all GitHub Actions to confirmed stable commit SHAs.
- Resolved CodeQL Security Alerts: Fixed ReDoS vulnerabilities and implemented global rate limiting in server.js.
- Fixed CI Deployment: Corrected Netlify _headers/_redirects formatting for strict validation.
- Fixed Deno Linting: Programmatically resolved hundreds of 'no-unused-vars' errors.
- Cleaned up build artifacts and local cache files.

Co-authored-by: OneFineStarstuff <87420139+OneFineStarstuff@users.noreply.github.com>

Author: google-labs-jules[bot]

.deepsource.toml

@@ -0,0 +1,19 @@
+version = 1
+
+[[analyzers]]
+name = "python"
+enabled = true
+  [analyzers.meta]
+  runtime_version = "3.x"
+
+[[analyzers]]
+name = "javascript"
+enabled = true
+
+[[analyzers]]
+name = "shell"
+enabled = true
+
+[[analyzers]]
+name = "docker"
+enabled = true

.github/workflows/codeql.yml

@@ -55,11 +55,11 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@23acc5c56da8f1d67c0558b779d201e5d797c271
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -87,6 +87,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@23acc5c56da8f1d67c0558b779d201e5d797c271
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/daily-gsifi-governance-validation.yml

@@ -50,10 +50,10 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@f677109307c7a44114705603b30e01c0ad72a39d
         with:
           python-version: '3.12'
 
@@ -77,7 +77,7 @@ jobs:
 
       - name: Upload governance test report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
         with:
           name: gsifi-governance-test-report
           path: |

.github/workflows/deno.yml

@@ -23,10 +23,10 @@ jobs:
 
     steps:
       - name: Setup repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Setup Deno
-        # uses: denoland/setup-deno@v1
+        # uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31
         uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31  # v1.1.2
         with:
           deno-version: v1.x

.github/workflows/docker-image.yml

@@ -13,6 +13,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Build the Docker image
       run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)

.github/workflows/federated-zk-docs-validation.yml

@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@f677109307c7a44114705603b30e01c0ad72a39d
         with:
           python-version: '3.11'
 

.github/workflows/governance-artifacts-ci.yml

@@ -33,10 +33,10 @@ jobs:
     timeout-minutes: 12
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@f677109307c7a44114705603b30e01c0ad72a39d
         with:
           python-version: '3.12'
           cache: 'pip'
@@ -51,7 +51,7 @@ jobs:
         run: make governance-validate
 
       - name: Setup OPA
-        uses: open-policy-agent/setup-opa@v2
+        uses: open-policy-agent/setup-opa@790401b7a0f785501861034177727192667d4e32
         with:
           version: v1.15.2
 
@@ -75,10 +75,10 @@ jobs:
     timeout-minutes: 8
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@f677109307c7a44114705603b30e01c0ad72a39d
         with:
           python-version: '3.12'
           cache: 'pip'
@@ -89,15 +89,15 @@ jobs:
 
       - name: Upload G-Stack test artifacts
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
         with:
           name: gstack-test-results
           path: artifacts/test-results
           if-no-files-found: ignore
 
       - name: Upload G-Stack validation report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
         with:
           name: gstack-validation-report
           path: artifacts/validation/gstack-validation.json

.github/workflows/governance-artifacts-validate.yml

@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@f677109307c7a44114705603b30e01c0ad72a39d
         with:
           python-version: '3.11'
 

.github/workflows/governance-artifacts.yml

@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@f677109307c7a44114705603b30e01c0ad72a39d
         with:
           python-version: '3.12'
 
@@ -30,7 +30,7 @@ jobs:
 
       - name: Upload governance validation report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
         with:
           name: governance-validation-report
           path: .reports/governance-validation.json

.github/workflows/governance-docs-lint.yml

@@ -36,10 +36,10 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@60edb5dd545a775178f525247833781745262c6d
         with:
           node-version: '20'
 
@@ -50,7 +50,7 @@ jobs:
         run: bash -n tests/test_lint_governance_docs.sh
 
       - name: Shellcheck lint scripts
-        uses: ludeeus/action-shellcheck@2.0.0
+        uses: ludeeus/action-shellcheck@94e0a5663708a74e508827f311c818816c1416e8
         with:
           scandir: "scripts tests"
           severity: warning