Goal
Add CodeQL scanning after real application code is added under �pps/ or shared code is added under packages/.
Why It Matters
The current repo is mostly documentation and local automation. CodeQL becomes more valuable once there is application logic, API handling, authentication, data processing, or frontend code to analyze.
Initial Scope
- Add CodeQL workflow for the chosen language stack.
- Keep workflow permissions minimal.
- Run on pull requests and pushes to main.
- Document how findings should be triaged.
Definition of Done
- CodeQL workflow is active.
- Alerts are visible in GitHub Security.
- Security policy references the triage workflow.
Goal
Add CodeQL scanning after real application code is added under �pps/ or shared code is added under packages/.
Why It Matters
The current repo is mostly documentation and local automation. CodeQL becomes more valuable once there is application logic, API handling, authentication, data processing, or frontend code to analyze.
Initial Scope
Definition of Done