docs: record Construction security closeout

Author: saagpatel

docs/plans/2026-04-24-post-merge-current-state.md

@@ -215,6 +215,8 @@ Phase 123 preview-only readiness refresh:
 - Workflow-permissions batch follow-up: opened workflow-token hardening PRs for `Cartograph` PR #8, `Chromafield` PR #6, `Calibrate` PR #5, and `Conductor` PR #6 after live code-scanning showed medium `actions/missing-workflow-permissions` alerts in each repo's `ci.yml`. `Cartograph` PR #8 passed PR checks, merged, passed main-branch CI, and live code scanning now reports 0 open alerts; a targeted read-only audit refresh with GHAS alerts now reports portfolio Code Scanning pressure at 0 critical and 2 high across 8 repos. `Calibrate` PR #5 also fixed an existing CI signing-profile blocker by adding `CODE_SIGNING_ALLOWED=NO`; its PR checks passed, it was merged, main-branch CI passed, and live code scanning now reports 0 open alerts. `Conductor` PR #6 passed PR checks, merged, passed main-branch CI, and live code scanning now reports 0 open alerts. A targeted read-only audit refresh with GHAS alerts for `Calibrate` and `Conductor` now reports portfolio Code Scanning pressure at 0 critical and 2 high across 6 repos. `Chromafield` PR #6 also merged after adding read-only workflow permissions, disabling CI signing, and repairing the Swift 6 export build issues in image/video Photos export paths. PR checks passed, main-branch CI and CodeQL passed on merge commit `b7e173e`, and live GitHub code scanning now reports 0 open alerts for `Chromafield`. A targeted read-only audit refresh with GHAS alerts reports portfolio Code Scanning pressure at 0 critical and 2 high across 5 repos, Dependabot pressure at 0 critical and 397 high across 69 repos, and keeps Security Review manual-only.
 - CodeQL setup batch 1: reran a full read-only Security Review refresh with GHAS alerts after the Chromafield closeout. The fresh queue now leads with CodeQL setup gaps instead of stale warning-only code-scanning review items. Opened config-only CodeQL PRs for `EarthPulse`, `FreelanceInvoice`, and `LifeCadenceLedger`; the first attempt used an invalid branch family and was replaced with policy-compliant `codex/ci/...` branches. `FreelanceInvoice` PR #24 and `LifeCadenceLedger` PR #17 passed PR CodeQL, were squash-merged, and their main-branch CodeQL runs passed. `EarthPulse` PR #47 originally stayed open because CodeQL passed but existing `security-quality` checks failed on baseline dependency audits (`pnpm audit --audit-level=high` and Rust audit). The follow-up updated patched JavaScript transitive pins, refreshed `pnpm-lock.yaml`, updated `rustls-webpki` in `src-tauri/Cargo.lock`, added the required lockfile rationale, and merged PR #47 after all PR checks passed. Main-branch CodeQL and Artifact Hygiene passed after the merge, Dependabot update jobs completed successfully, and live GitHub code scanning now reports 0 open alerts for `EarthPulse`.
 - Post-EarthPulse evidence note: targeted Security Review refresh is blocked until the portfolio baseline is refreshed because the live repo set expanded from 119 to 121 repos. A parallel full refresh was stopped after missing-checkout warnings; the safer single-worker full refresh was also stopped before completion because it is a long 121-repo run. The next Security Review evidence move should be a clean full read-only refresh before choosing the next CodeQL setup batch.
+- `Construction` workflow-permissions closeout: live GitHub code scanning showed the prior queue item had narrowed to one medium `actions/missing-workflow-permissions` alert in `perf-enforced.yml`. Opened `Construction` PR #34 after closing PR #33, whose branch name failed the repo guard. PR #34 added top-level read-only workflow permissions, passed PR CodeQL, quality, performance, branch-name, commitlint, and secret checks, then was squash-merged. Main-branch `Push on main` and Dependabot update jobs passed after the merge, and live GitHub code scanning now reports 0 open alerts for `Construction`.
+- Full Security Review evidence refresh after `Construction`: reran the 121-repo read-only audit with GHAS alerts and 8 analysis workers. The parallel path completed cleanly with `portfolio_baseline_size=121` and `total_repos=121`. GHAS pressure is now 0 critical and 2 high code-scanning alerts across 4 repos, 0 open secret-scanning alerts, and 0 critical / 385 high Dependabot alerts across 68 repos. The Security Review preview remains manual-only and now shows 20 actions across 20 repos, led by CodeQL setup gaps for `LegalDocsReview`, `IncidentReview`, `IncidentManagement`, `IncidentWorkbench`, and `LoreKeeper`.
 
 ## 2026-05-09 Refresh