Adopt managed CodeQL and security baseline

Author: DariaGrama

.github/dependabot.yml

@@ -1,12 +1,42 @@
 version: 2
 updates:
-  - package-ecosystem: "nuget"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 10
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 10
+- package-ecosystem: nuget
+  directory: /
+  schedule:
+    interval: weekly
+  open-pull-requests-limit: 10
+  groups:
+    nuget-root-patch-minor:
+      patterns:
+      - '*'
+      update-types:
+      - patch
+      - minor
+  ignore:
+  - dependency-name: '*'
+    update-types:
+    - version-update:semver-major
+  labels:
+  - dependencies
+  - type:chore
+  - area:ci
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: weekly
+  open-pull-requests-limit: 10
+  groups:
+    github-actions-root-patch-minor:
+      patterns:
+      - '*'
+      update-types:
+      - patch
+      - minor
+  ignore:
+  - dependency-name: '*'
+    update-types:
+    - version-update:semver-major
+  labels:
+  - dependencies
+  - type:chore
+  - area:ci

.github/workflows/codecov-analytics.yml

@@ -9,14 +9,16 @@ on:
     branches: [main, master]
   pull_request:
     branches: [main, master]
+  merge_group:
+    types: [checks_requested]
   workflow_dispatch:
 
 jobs:
   shared-codecov-analytics:
     permissions:
       contents: read
       id-token: write
-    uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-codecov-analytics.yml@0e7482ede8d157d5183d41dfe2b575560fbea222
+    uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-codecov-analytics.yml@d7a94db4ab57df42940832cf67b730c673af7da6
     with:
       repo_slug: ${{ github.repository }}
       event_name: ${{ github.event_name }}

.github/workflows/codeql.yml

@@ -1,29 +1,31 @@
 name: CodeQL
 
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-  schedule:
-    - cron: "0 6 * * 1"
-
 permissions:
   actions: read
   contents: read
   security-events: write
 
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  merge_group:
+    types: [checks_requested]
+  schedule:
+    - cron: "23 3 * * 1"
+  workflow_dispatch:
+
 jobs:
-  analyze:
-    runs-on: windows-latest
-    steps:
-      - uses: actions/checkout@v6
-      - uses: github/codeql-action/init@v4
-        with:
-          languages: csharp
-      - uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: 8.0.x
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
-      - uses: github/codeql-action/analyze@v4
+  codeql:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-codeql.yml@d7a94db4ab57df42940832cf67b730c673af7da6
+    with:
+      repo_slug: ${{ github.repository }}
+      event_name: ${{ github.event_name }}
+      sha: ${{ github.event.pull_request.head.sha || github.sha }}
+      platform_repository: Prekzursil/quality-zero-platform
+      platform_ref: main

.github/workflows/quality-zero-gate.yml

@@ -8,13 +8,15 @@ on:
     branches: [main, master]
   pull_request:
     branches: [main, master]
+  merge_group:
+    types: [checks_requested]
   workflow_dispatch:
 
 jobs:
   aggregate-gate:
     permissions:
       contents: read
-    uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-quality-zero-gate.yml@0e7482ede8d157d5183d41dfe2b575560fbea222
+    uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-quality-zero-gate.yml@d7a94db4ab57df42940832cf67b730c673af7da6
     with:
       repo_slug: ${{ github.repository }}
       event_name: ${{ github.event_name }}

.github/workflows/quality-zero-platform.yml

@@ -20,7 +20,7 @@ jobs:
       contents: read
       id-token: write
       pull-requests: write
-    uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-scanner-matrix.yml@0e7482ede8d157d5183d41dfe2b575560fbea222
+    uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-scanner-matrix.yml@d7a94db4ab57df42940832cf67b730c673af7da6
     with:
       repo_slug: ${{ github.repository }}
       event_name: ${{ github.event_name }}

SECURITY.md

@@ -1,28 +1,33 @@
 # Security Policy
 
-## Supported versions
+## Supported Versions
 
-Until a stable versioning policy is established, only the latest tagged release is considered supported for security fixes.
+Security fixes are applied to the `main` branch.
 
-## Reporting a vulnerability
+| Version | Supported |
+| --- | --- |
+| `main` | :white_check_mark: |
+| Other branches/tags | :x: |
 
-Please do **not** open public GitHub issues for sensitive security reports.
+## Reporting a Vulnerability
 
-Instead:
+Please do **not** open public GitHub issues for undisclosed security findings.
 
-1. open a private security advisory if available for the repository, or
-2. contact the maintainer directly with a concise reproduction and impact summary
+Use GitHub Private Vulnerability Reporting for this repository:
+<https://github.com/Prekzursil/codex-session-manager/security/advisories/new>
 
-Include:
+If private advisory reporting is unavailable, contact the maintainer privately on GitHub (`@Prekzursil`).
 
-- affected version or commit
-- reproduction steps
-- expected vs actual behavior
-- whether the issue can expose private local session content, metadata, or unsafe maintenance behavior
+When reporting, include:
 
-## Security expectations for contributors
+- the affected component, file, workflow, or dependency
+- the exact commit, branch, or release if known
+- clear reproduction or proof-of-concept steps
+- impact details covering confidentiality, integrity, or availability
+- any suggested mitigation if known
 
-- do not add telemetry or network sync without explicit review
-- do not weaken maintenance confirmations or checkpoint creation
-- do not make live Codex SQLite state writable in v1
-- do not add real personal session data to tests, docs, fixtures, or screenshots
+## Disclosure Expectations
+
+- Initial acknowledgment: best effort within 3 business days.
+- Triage update: best effort within 7 business days.
+- Coordinated disclosure is expected; please allow time to investigate and patch before public disclosure.