fix: add allowlist normalization and validation in permissions repair process

.github/workflows/codeql.yml

@@ -2,7 +2,7 @@ name: CodeQL - Analyze
 
 on:
   pull_request:
-    branches: [main, nightly]
+    branches: [main, nightly, development]
   push:
     branches: [main, nightly, development]
   workflow_dispatch:
@@ -42,10 +42,15 @@ jobs:
         with:
           ref: ${{ github.sha }}
 
+      - name: Verify CodeQL parity guard
+        if: matrix.language == 'go'
+        run: bash scripts/ci/check-codeql-parity.sh
+
       - name: Initialize CodeQL
         uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
         with:
           languages: ${{ matrix.language }}
+          queries: security-and-quality
           # Use CodeQL config to exclude documented false positives
           # Go: Excludes go/request-forgery for url_testing.go (has 4-layer SSRF defense)
           # See: .github/codeql/codeql-config.yml for full justification