fix: add allowlist normalization and validation in permissions repair process

scripts/ci/check-codeql-parity.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CODEQL_WORKFLOW=".github/workflows/codeql.yml"
+TASKS_FILE=".vscode/tasks.json"
+GO_PRECOMMIT_SCRIPT="scripts/pre-commit-hooks/codeql-go-scan.sh"
+JS_PRECOMMIT_SCRIPT="scripts/pre-commit-hooks/codeql-js-scan.sh"
+
+fail() {
+  local message="$1"
+  echo "::error title=CodeQL parity drift::${message}"
+  exit 1
+}
+
+ensure_event_branches() {
+  local workflow_file="$1"
+  local event_name="$2"
+  local expected_line="$3"
+
+  awk -v event_name="$event_name" -v expected_line="$expected_line" '
+    /^on:/ {
+      in_on = 1
+      next
+    }
+
+    in_on && $1 == event_name ":" {
+      in_event = 1
+      next
+    }
+
+    in_on && in_event && $1 == "branches:" {
+      line = $0
+      gsub(/^ +/, "", line)
+      if (line == expected_line) {
+        found = 1
+      }
+      in_event = 0
+      next
+    }
+
+    in_on && in_event && $1 ~ /^[a-z_]+:$/ {
+      in_event = 0
+    }
+
+    END {
+      exit found ? 0 : 1
+    }
+  ' "$workflow_file"
+}
+
+[[ -f "$CODEQL_WORKFLOW" ]] || fail "Missing workflow file: $CODEQL_WORKFLOW"
+[[ -f "$TASKS_FILE" ]] || fail "Missing tasks file: $TASKS_FILE"
+[[ -f "$GO_PRECOMMIT_SCRIPT" ]] || fail "Missing pre-commit script: $GO_PRECOMMIT_SCRIPT"
+[[ -f "$JS_PRECOMMIT_SCRIPT" ]] || fail "Missing pre-commit script: $JS_PRECOMMIT_SCRIPT"
+
+ensure_event_branches "$CODEQL_WORKFLOW" "pull_request" "branches: [main, nightly, development]" || fail "codeql.yml pull_request branches must be [main, nightly, development]"
+ensure_event_branches "$CODEQL_WORKFLOW" "push" "branches: [main, nightly, development]" || fail "codeql.yml push branches must be [main, nightly, development]"
+grep -Fq 'queries: security-and-quality' "$CODEQL_WORKFLOW" || fail "codeql.yml must pin init queries to security-and-quality"
+grep -Fq '"label": "Security: CodeQL Go Scan (CI-Aligned) [~60s]"' "$TASKS_FILE" || fail "Missing CI-aligned Go CodeQL task label"
+grep -Fq '"command": "bash scripts/pre-commit-hooks/codeql-go-scan.sh"' "$TASKS_FILE" || fail "CI-aligned Go CodeQL task must invoke scripts/pre-commit-hooks/codeql-go-scan.sh"
+grep -Fq 'codeql/go-queries:codeql-suites/go-security-and-quality.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must use go-security-and-quality suite"
+grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must use javascript-security-and-quality suite"
+
+echo "CodeQL parity check passed (workflow triggers + suite pinning + local/pre-commit suite alignment)"

scripts/pre-commit-hooks/codeql-go-scan.sh

@@ -1,16 +1,20 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # Pre-commit CodeQL Go scan - CI-aligned
-set -e
+set -euo pipefail
 
 RED='\033[0;31m'
 GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m'
 
 echo -e "${BLUE}🔍 Running CodeQL Go scan (CI-aligned)...${NC}"
 echo ""
 
+if ! command -v jq >/dev/null 2>&1; then
+  echo -e "${RED}❌ jq is required for CodeQL extraction metric validation${NC}"
+  exit 1
+fi
+
 # Clean previous database
 rm -rf codeql-db-go
 
@@ -19,18 +23,47 @@ echo "📦 Creating CodeQL database..."
 codeql database create codeql-db-go \
   --language=go \
   --source-root=backend \
+  --codescanning-config=.github/codeql/codeql-config.yml \
   --threads=0 \
   --overwrite
 
 echo ""
 echo "📊 Analyzing with security-and-quality suite..."
+ANALYZE_LOG=$(mktemp)
 # Analyze with CI-aligned suite
 codeql database analyze codeql-db-go \
   codeql/go-queries:codeql-suites/go-security-and-quality.qls \
   --format=sarif-latest \
   --output=codeql-results-go.sarif \
   --sarif-add-baseline-file-info \
-  --threads=0
+  --threads=0 2>&1 | tee "$ANALYZE_LOG"
+
+echo ""
+echo "🧮 Validating extraction metric against go list baseline..."
+BASELINE_COUNT=$(cd backend && go list -json ./... | jq -s 'map((.GoFiles|length)+(.CgoFiles|length))|add')
+SCAN_LINE=$(grep -Eo 'CodeQL scanned [0-9]+ out of [0-9]+ Go files' "$ANALYZE_LOG" | tail -1 || true)
+
+if [ -z "$SCAN_LINE" ]; then
+  rm -f "$ANALYZE_LOG"
+  echo -e "${RED}❌ Could not parse CodeQL extraction metric from analyze output${NC}"
+  echo "Expected a line like: CodeQL scanned X out of Y Go files"
+  exit 1
+fi
+
+EXTRACTED_COUNT=$(echo "$SCAN_LINE" | awk '{print $3}')
+RAW_COUNT=$(echo "$SCAN_LINE" | awk '{print $6}')
+rm -f "$ANALYZE_LOG"
+
+if [ "$EXTRACTED_COUNT" != "$BASELINE_COUNT" ]; then
+  echo -e "${RED}❌ CodeQL extraction drift detected${NC}"
+  echo "  - go list compiled-file baseline: $BASELINE_COUNT"
+  echo "  - CodeQL extracted compiled files: $EXTRACTED_COUNT"
+  echo "  - CodeQL raw-repo denominator:     $RAW_COUNT"
+  echo "Resolve suite/trigger/build-tag drift before merging."
+  exit 1
+fi
+
+echo -e "${GREEN}✅ Extraction parity OK${NC} (compiled baseline=$BASELINE_COUNT, extracted=$EXTRACTED_COUNT, raw=$RAW_COUNT)"
 
 echo -e "${GREEN}✅ CodeQL Go scan complete${NC}"
 echo "Results saved to: codeql-results-go.sarif"