ci: remove CodeQL control-plane workflow

.github/workflows/codex-rails-check.yml

@@ -85,6 +85,26 @@ jobs:
             go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.12 -shellcheck= -pyflakes= "${files[@]}"
           fi
 
+      - name: Reject prohibited code scanning actions
+        shell: bash
+        run: |
+          set -euo pipefail
+          shopt -s nullglob
+          files=(.github/workflows/*.yml .github/workflows/*.yaml .github/workflow-templates/*.yml .github/workflow-templates/*.yaml)
+          if [ "${#files[@]}" -eq 0 ]; then
+            echo "No workflow YAML files found."
+            exit 0
+          fi
+          blocked_owner="github"
+          blocked_prefix="code"
+          blocked_suffix="ql-action"
+          blocked="${blocked_owner}/${blocked_prefix}${blocked_suffix}"
+          if grep -RInE "^[[:space:]]*(-[[:space:]]*)?uses:[[:space:]]*${blocked}([/@[:space:]]|$)" "${files[@]}"; then
+            echo "::error::EvalOps does not use GitHub default code scanning. Remove this workflow action and use bounded repo-owned checks instead."
+            exit 1
+          fi
+          echo "ok: no prohibited GitHub default code-scanning action references"
+
       - name: Validate workflow template metadata
         shell: bash
         run: |

SECURITY.md

@@ -25,21 +25,20 @@ This policy applies to all repositories in the [evalops](https://github.com/eval
 
 ## Code Scanning
 
-EvalOps does not enable GitHub CodeQL. Every repository is attached to the
-**EvalOps Blacksmith recommended** code security configuration
-(`id=245233`), which sets `code_scanning_default_setup: disabled` and is the
-default for new repositories.
+EvalOps does not use GitHub CodeQL or GitHub default code scanning. Every
+repository is attached to the **EvalOps Blacksmith recommended** code security
+configuration (`id=245233`), which sets `code_scanning_default_setup:
+disabled` and is the default for new repositories.
 
-Equivalent static analysis lives elsewhere:
+Security signal should come from bounded, owned checks:
 
 - `semgrep`-based custom rules in service repos (see `.semgrep/` directories
   and the `semgrep-custom` workflows).
 - Service-specific gates such as `architecture-review`, `contract-skew-check`,
   and `migration-check` in `evalops/platform`.
-- The [`codeql-guard`](.github/workflows/codeql-guard.yml) workflow in this
-  repo enforces the policy: it rejects PRs that introduce
-  `github/codeql-action` here, and it sweeps every `evalops/*` repo daily,
-  opening an issue if a CodeQL workflow file appears anywhere in the org.
+- Secret scanning, Dependabot, and targeted repository-owned analyzers with
+  explicit owners and runtime budgets.
 
-To request a policy change, open a PR against this file and the guard
-workflow.
+Do not add CodeQL workflows, generated default-setup workflows, or required
+checks backed by blanket code scanning. To request a policy change, open a PR
+against this file and the engineering-practices contract.

profile/GITHUB_ACTIONS_QUOTA.md

@@ -3,42 +3,23 @@
 EvalOps repositories should keep CI evidence useful without letting GitHub
 Actions minute or artifact quotas block unrelated pull requests.
 
-## CodeQL
-
-Run CodeQL on `main`, on a weekly schedule, and through manual dispatch. For
-pull requests, scope CodeQL with `paths` so documentation, GitOps metadata, and
-workflow-only changes do not spend full multi-language analysis capacity.
-
-Recommended PR path set:
-
-```yaml
-on:
-  pull_request:
-    paths:
-      - ".github/workflows/codeql.yml"
-      - "go.mod"
-      - "go.sum"
-      - "**/*.go"
-      - "package.json"
-      - "package-lock.json"
-      - "pnpm-lock.yaml"
-      - "yarn.lock"
-      - "bun.lock"
-      - "bun.lockb"
-      - "**/*.js"
-      - "**/*.jsx"
-      - "**/*.mjs"
-      - "**/*.cjs"
-      - "**/*.ts"
-      - "**/*.tsx"
-      - "pyproject.toml"
-      - "poetry.lock"
-      - "requirements*.txt"
-      - "**/*.py"
-```
-
-Keep the checked-in CodeQL workflow explicit. Do not rely on generated CodeQL
-runs when runner placement, matrix languages, or branch behavior matter.
+## Blanket Static Analysis
+
+Do not add CodeQL or GitHub default code-scanning workflows. EvalOps does not
+use them, and they should not become required checks, scheduled jobs, or
+generated default-setup runs.
+
+Security checks need an owner and a runtime budget before they belong in CI.
+Prefer narrow repository-owned checks that answer a concrete question:
+
+- Semgrep custom rules for known repo-local failure modes.
+- Contract, migration, schema, and architecture checks with small inputs.
+- Secret scanning and Dependabot alerts handled through the security SLO.
+- One-shot diagnostic scripts that are not required merge gates unless the
+  signal is high-yield and fast.
+
+When a scanner is slow, noisy, or ownerless, remove it instead of tuning the
+required status list around it.
 
 ## Artifacts
 

profile/README.md

@@ -5,7 +5,7 @@ The organizational operating system for AI agent workforces — evaluation, gove
 ## Operating Conventions
 
 - [Agent authorship attribution](AGENT_AUTHORSHIP.md) — git trailers, PR labels, and audit indexing for Maestro-authored code.
-- [GitHub Actions quota hygiene](GITHUB_ACTIONS_QUOTA.md) — CodeQL scoping, artifact retention, and quota-safe diagnostics.
+- [GitHub Actions quota hygiene](GITHUB_ACTIONS_QUOTA.md) — scanner budget, artifact retention, and quota-safe diagnostics.
 - [Engineering practices](ENGINEERING_PRACTICES.md) — tiered merge policy, backlog lifecycle, release trains, security SLOs, and evidence-first completion.
 
 ## Platform Services