chore: update CodeQL workflow to include feature and fix branches and enhance JS scan script

.github/workflows/codeql.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
     branches: [main, nightly, development]
   push:
-    branches: [main, nightly, development]
+    branches: [main, nightly, development, 'feature/**', 'fix/**']
   workflow_dispatch:
   schedule:
     - cron: '0 3 * * 1' # Mondays 03:00 UTC

.vscode/tasks.json

@@ -466,7 +466,7 @@
         {
             "label": "Security: CodeQL JS Scan (CI-Aligned) [~90s]",
             "type": "shell",
-            "command": "rm -rf codeql-db-js && codeql database create codeql-db-js --language=javascript --build-mode=none --source-root=frontend --codescanning-config=.github/codeql/codeql-config.yml --overwrite --threads=0 && codeql database analyze codeql-db-js --format=sarif-latest --output=codeql-results-js.sarif --sarif-add-baseline-file-info --threads=0",
+            "command": "bash scripts/pre-commit-hooks/codeql-js-scan.sh",
             "group": "test",
             "problemMatcher": []
         },

docs/reports/codeql_pr718_origin_map.md

@@ -0,0 +1,58 @@
+# PR 718 CodeQL Origin Map
+
+Date: 2026-02-18
+Source PR: https://github.com/Wikid82/Charon/pull/718
+
+## Scope
+
+- Mapped all **high severity** CodeQL alerts from PR 718 (GitHub API `code-scanning/alerts?pr=718&state=open`).
+- For each alert, traced `path:line` to introducing commit via `git blame`.
+- Classified each introducing commit as:
+  - `on_main=yes`: already reachable from `origin/main`
+  - `on_main=no`: not reachable from `origin/main` (arrives via promotion PR range)
+
+## Results
+
+- High severity alerts mapped: **67**
+- `on_main=yes`: **0**
+- `on_main=no`: **67**
+
+### Rule distribution (high only)
+
+- `go/log-injection`: 58
+- `js/regex/missing-regexp-anchor`: 6
+- `js/insecure-temporary-file`: 3
+
+### Dominant introducing commits
+
+- `3169b051561c1a380a09ba086c81d48b4d0bf0ba` → 61 alerts
+  - Subject: `fix: skip incomplete system log viewer tests`
+- `a14f6ee41f4ba9718909471a99e7ea8876590954` → 3 alerts
+  - Subject: `fix: add refresh token endpoint to authentication routes`
+- `d0334ddd40a54262689283689bff19560458e358` → 1 alert
+  - Subject: `fix: enhance backup service to support restoration from WAL files and add corresponding tests`
+- `a44530a682de5ace9e1f29b9b3b4fdf296f1bed2` → 1 alert
+  - Subject: `fix: change Caddy config reload from async to sync for deterministic applied state`
+- `5a46ef4219d0bab6f7f951c6d690d3ad22c700c2` → 1 alert
+  - Subject: `fix: include invite URL in user invitation response and update related tests`
+
+## Representative mapped alerts
+
+- `1119` `js/regex/missing-regexp-anchor` at `tests/tasks/import-caddyfile.spec.ts:324`
+  - commit: `3169b051561c1a380a09ba086c81d48b4d0bf0ba` (`on_main=no`)
+- `1112` `js/insecure-temporary-file` at `tests/fixtures/auth-fixtures.ts:181`
+  - commit: `a14f6ee41f4ba9718909471a99e7ea8876590954` (`on_main=no`)
+- `1109` `go/log-injection` at `backend/internal/services/uptime_service.go:1090`
+  - commit: `3169b051561c1a380a09ba086c81d48b4d0bf0ba` (`on_main=no`)
+- `1064` `go/log-injection` at `backend/internal/api/handlers/user_handler.go:545`
+  - commit: `5a46ef4219d0bab6f7f951c6d690d3ad22c700c2` (`on_main=no`)
+
+## Interpretation
+
+- For high alerts, this mapping indicates they are tied to commits not yet on `main` and now being introduced together via the very large promotion range.
+- This does **not** imply all were authored in PR 718; it means PR 718 is the first main-targeting integration point where these commits are entering `main` and being classified in that context.
+
+## Important note on “CodeQL comments only on PRs to main?”
+
+- The workflow in this branch (`.github/workflows/codeql.yml`) is configured for `pull_request` on `main`, `nightly`, and `development`.
+- CodeQL itself does not rely on PR comments for enforcement; annotations/check results depend on workflow trigger execution and default-branch security baseline context.

docs/reports/qa_report.md

@@ -498,6 +498,36 @@ Primary root cause is **test isolation breakdown under race+shuffle execution**,
 - **Scoped fix validation**: PASS (targeted flaky tests stabilized).
 - **Full CI-parity matrix**: FAIL (broader baseline instability remains; not fully resolved in this pass).
 
+## CodeQL Hardening Validation - 2026-02-18
+
+### Scope
+
+- `.github/workflows/codeql.yml`
+- `.vscode/tasks.json`
+- `scripts/ci/check-codeql-parity.sh`
+- `scripts/pre-commit-hooks/codeql-js-scan.sh`
+
+### Validation Results
+
+- `actionlint .github/workflows/codeql.yml` -> **PASS** (`ACTIONLINT_OK`)
+- `shellcheck scripts/ci/check-codeql-parity.sh scripts/pre-commit-hooks/codeql-js-scan.sh` -> **PASS** (`SHELLCHECK_OK`)
+- `bash scripts/ci/check-codeql-parity.sh` -> **PASS** (`CodeQL parity check passed ...`, `PARITY_OK`)
+- `pre-commit run --hook-stage manual codeql-check-findings --all-files` -> **PASS** (`Block HIGH/CRITICAL CodeQL Findings...Passed`, `FINDINGS_GATE_OK`)
+
+### JS CI-Aligned Task Scope/Output Check
+
+- Task `Security: CodeQL JS Scan (CI-Aligned) [~90s]` in `.vscode/tasks.json` invokes `bash scripts/pre-commit-hooks/codeql-js-scan.sh` -> **PASS**
+- Script uses `--source-root=.` so repository-wide JavaScript/TypeScript analysis scope includes `tests/` and other TS/JS paths, not only `frontend/` -> **PASS**
+- Script SARIF output remains `--output=codeql-results-js.sarif` -> **PASS**
+
+### Overall Verdict
+
+- **PASS**
+
+### Blockers
+
+- **None** for this validation scope.
+
 ### Recommended Next Fix Plan (No Sleep/Retry Band-Aids)
 
 1. Enforce per-test DB isolation in remaining backend test helpers still using shared sqlite state.

scripts/ci/check-codeql-parity.sh

@@ -54,10 +54,12 @@ ensure_event_branches() {
 [[ -f "$JS_PRECOMMIT_SCRIPT" ]] || fail "Missing pre-commit script: $JS_PRECOMMIT_SCRIPT"
 
 ensure_event_branches "$CODEQL_WORKFLOW" "pull_request" "branches: [main, nightly, development]" || fail "codeql.yml pull_request branches must be [main, nightly, development]"
-ensure_event_branches "$CODEQL_WORKFLOW" "push" "branches: [main, nightly, development]" || fail "codeql.yml push branches must be [main, nightly, development]"
+ensure_event_branches "$CODEQL_WORKFLOW" "push" "branches: [main, nightly, development, 'feature/**', 'fix/**']" || fail "codeql.yml push branches must be [main, nightly, development, 'feature/**', 'fix/**']"
 grep -Fq 'queries: security-and-quality' "$CODEQL_WORKFLOW" || fail "codeql.yml must pin init queries to security-and-quality"
 grep -Fq '"label": "Security: CodeQL Go Scan (CI-Aligned) [~60s]"' "$TASKS_FILE" || fail "Missing CI-aligned Go CodeQL task label"
 grep -Fq '"command": "bash scripts/pre-commit-hooks/codeql-go-scan.sh"' "$TASKS_FILE" || fail "CI-aligned Go CodeQL task must invoke scripts/pre-commit-hooks/codeql-go-scan.sh"
+grep -Fq '"label": "Security: CodeQL JS Scan (CI-Aligned) [~90s]"' "$TASKS_FILE" || fail "Missing CI-aligned JS CodeQL task label"
+grep -Fq '"command": "bash scripts/pre-commit-hooks/codeql-js-scan.sh"' "$TASKS_FILE" || fail "CI-aligned JS CodeQL task must invoke scripts/pre-commit-hooks/codeql-js-scan.sh"
 grep -Fq 'codeql/go-queries:codeql-suites/go-security-and-quality.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must use go-security-and-quality suite"
 grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must use javascript-security-and-quality suite"
 

scripts/pre-commit-hooks/codeql-js-scan.sh

@@ -2,9 +2,7 @@
 # Pre-commit CodeQL JavaScript/TypeScript scan - CI-aligned
 set -e
 
-RED='\033[0;31m'
 GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m'
 
@@ -22,7 +20,8 @@ echo "📦 Creating CodeQL database..."
 codeql database create codeql-db-js \
   --language=javascript \
   --build-mode=none \
-  --source-root=frontend \
+  --source-root=. \
+  --codescanning-config=.github/codeql/codeql-config.yml \
   --threads=0 \
   --overwrite