docs: close EarthPulse CodeQL batch

Author: saagpatel

docs/plans/2026-04-24-post-merge-current-state.md

@@ -213,7 +213,8 @@ Phase 123 preview-only readiness refresh:
 - `SpecCompanion` Rust security follow-up: opened by Dependabot after the critical batch, PR #32 was a lockfile-only Cargo group update for `tauri`, `openssl`, `quinn-proto`, and `rustls-webpki`. PR #32 was mergeable with passing checks and was squash-merged into `main`; a targeted read-only audit refresh with GHAS alerts now reports portfolio Dependabot pressure at 0 critical and 401 high alerts, while SpecCompanion is down to 1 high, 4 medium, and 3 low Dependabot alerts. The remaining SpecCompanion high alert is no longer the strongest queue driver compared with AIGCCore's high code-scanning backlog.
 - `ContentEngine` workflow-permissions closeout: opened and merged `ContentEngine` PR #24 to add explicit read-only workflow token permissions to `desktop-ci` and `quality-gates`, clearing the two medium CodeQL `actions/missing-workflow-permissions` alerts. PR checks passed before merge, and main-branch `Push on main`, `quality-gates`, and `desktop-ci` checks passed after merge. GitHub code scanning now reports 0 open alerts for `ContentEngine`; a targeted read-only audit refresh with GHAS alerts shows `ContentEngine` as healthy with Code scanning, Secret scanning, `SECURITY.md`, and Dependabot present, leaving only the low-priority OpenSSF Scorecard suggestion.
 - Workflow-permissions batch follow-up: opened workflow-token hardening PRs for `Cartograph` PR #8, `Chromafield` PR #6, `Calibrate` PR #5, and `Conductor` PR #6 after live code-scanning showed medium `actions/missing-workflow-permissions` alerts in each repo's `ci.yml`. `Cartograph` PR #8 passed PR checks, merged, passed main-branch CI, and live code scanning now reports 0 open alerts; a targeted read-only audit refresh with GHAS alerts now reports portfolio Code Scanning pressure at 0 critical and 2 high across 8 repos. `Calibrate` PR #5 also fixed an existing CI signing-profile blocker by adding `CODE_SIGNING_ALLOWED=NO`; its PR checks passed, it was merged, main-branch CI passed, and live code scanning now reports 0 open alerts. `Conductor` PR #6 passed PR checks, merged, passed main-branch CI, and live code scanning now reports 0 open alerts. A targeted read-only audit refresh with GHAS alerts for `Calibrate` and `Conductor` now reports portfolio Code Scanning pressure at 0 critical and 2 high across 6 repos. `Chromafield` PR #6 also merged after adding read-only workflow permissions, disabling CI signing, and repairing the Swift 6 export build issues in image/video Photos export paths. PR checks passed, main-branch CI and CodeQL passed on merge commit `b7e173e`, and live GitHub code scanning now reports 0 open alerts for `Chromafield`. A targeted read-only audit refresh with GHAS alerts reports portfolio Code Scanning pressure at 0 critical and 2 high across 5 repos, Dependabot pressure at 0 critical and 397 high across 69 repos, and keeps Security Review manual-only.
-- CodeQL setup batch 1: reran a full read-only Security Review refresh with GHAS alerts after the Chromafield closeout. The fresh queue now leads with CodeQL setup gaps instead of stale warning-only code-scanning review items. Opened config-only CodeQL PRs for `EarthPulse`, `FreelanceInvoice`, and `LifeCadenceLedger`; the first attempt used an invalid branch family and was replaced with policy-compliant `codex/ci/...` branches. `FreelanceInvoice` PR #24 and `LifeCadenceLedger` PR #17 passed PR CodeQL, were squash-merged, and their main-branch CodeQL runs passed. `EarthPulse` PR #47 remains open: CodeQL itself passed, but existing `security-quality` checks failed on baseline dependency audits (`pnpm audit --audit-level=high` and Rust audit), so it should not be merged until that dependency debt is handled or explicitly accepted.
+- CodeQL setup batch 1: reran a full read-only Security Review refresh with GHAS alerts after the Chromafield closeout. The fresh queue now leads with CodeQL setup gaps instead of stale warning-only code-scanning review items. Opened config-only CodeQL PRs for `EarthPulse`, `FreelanceInvoice`, and `LifeCadenceLedger`; the first attempt used an invalid branch family and was replaced with policy-compliant `codex/ci/...` branches. `FreelanceInvoice` PR #24 and `LifeCadenceLedger` PR #17 passed PR CodeQL, were squash-merged, and their main-branch CodeQL runs passed. `EarthPulse` PR #47 originally stayed open because CodeQL passed but existing `security-quality` checks failed on baseline dependency audits (`pnpm audit --audit-level=high` and Rust audit). The follow-up updated patched JavaScript transitive pins, refreshed `pnpm-lock.yaml`, updated `rustls-webpki` in `src-tauri/Cargo.lock`, added the required lockfile rationale, and merged PR #47 after all PR checks passed. Main-branch CodeQL and Artifact Hygiene passed after the merge, Dependabot update jobs completed successfully, and live GitHub code scanning now reports 0 open alerts for `EarthPulse`.
+- Post-EarthPulse evidence note: targeted Security Review refresh is blocked until the portfolio baseline is refreshed because the live repo set expanded from 119 to 121 repos. A parallel full refresh was stopped after missing-checkout warnings; the safer single-worker full refresh was also stopped before completion because it is a long 121-repo run. The next Security Review evidence move should be a clean full read-only refresh before choosing the next CodeQL setup batch.
 
 ## 2026-05-09 Refresh
 
@@ -347,4 +348,4 @@ Recommended maintainability pass:
 1. Complete manual desktop Excel signoff for the generated workbook if this rehearsal becomes a release record.
 2. Reduce GitHub security endpoint warning noise; expected 403/404 responses from code/secret-scanning alert endpoints should be summarized or quieted without hiding real API outages.
 3. Use `python3 -m src` or the installed `audit` console script after `pip install -e ".[dev,config]"`; PR #122 restored `python3 -m src.cli --help` behavior.
-4. Start Phase 123 only after explicit catalog eligibility and approval-center readiness exist.
+4. Start Phase 123 only after explicit catalog eligibility and approval-center readiness exist.