fix(security): resolve three deferred Hypatia findings (CodeQL/scorecard/setup.sh)

[hyperpolymath]

Why

Resolves three deferred Hypatia findings in wokelangiser.

Changes

1. CodeQL — scan Rust source (.github/workflows/codeql.yml)

The "nominal-only SAST" finding's literal remediation (language: actions) was already in place, so that finding was stale. The real gap: only workflow YAML was scanned, never the repo's Rust source (the primary implementation). Added language: rust (build-mode: none, buildless) to the matrix so CodeQL now analyses the actual code too. (Zig/Idris2 aren't CodeQL-supported, so they're out of scope.)

2. Scorecard — de-publish the enforcer (.github/workflows/scorecard-enforcer.yml)

The scorecard job held a privileged publish step (id-token: write, security-events: write) right next to a custom run: score-gate — the scorecard_publish_with_run_step pattern. Since scorecard.yml (the reusable workflow) already publishes results, the enforcer's publish was redundant. Now:

• publish_results: false
• removed the upload-sarif step
• job reduced to contents: read
• the score gate still runs on the locally-generated results.sarif

No new actions added (no new dependency-pinning surface).

3. setup.sh — verified just install (CWE-494)

Replaced both curl -fsSL https://just.systems/install.sh | bash calls with a install_just_pinned() helper:

• pins just 1.53.0
• maps platform/arch → release target triple
• downloads the tarball over HTTPS, verifies SHA256 (per-target, taken from the release SHA256SUMS), then extracts + installs
• fails closed on checksum mismatch or unsupported arch
• usage comment now documents download → review → run instead of pipe-to-shell

Verification

• sh -n setup.sh passes; both workflows parse as valid YAML.
• Functionally tested the installer's core path: downloaded just-1.53.0-x86_64-unknown-linux-musl.tar.gz, confirmed the pinned SHA256 matches, confirmed a wrong hash is rejected (fail-closed), extracted just, and ran it (just 1.53.0).
• CI on this PR will exercise both CodeQL matrix jobs (actions, rust) and the de-published scorecard job.

🤖 Generated with Claude Code

https://claude.ai/code/session_01Y2MWTAqX2x7goVJzjFB4j5

---

Generated by Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 6 issues detected

Severity	Count
🔴 Critical	1
🟠 High	3
🟡 Medium	2

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (2 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/wokelangiser/wokelangiser/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 24,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/wokelangiser/wokelangiser/.envrc",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in wokelangiser",
    "type": "DependencyPinning",
    "file": "/home/runner/work/wokelangiser/wokelangiser",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
    "scorecard_check": "Pinned-Dependencies"
  },
  {
    "reason": "Repository has 12 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/workflow_audit/scorecard_publish_with_run_step -- Hypatia workflow_audit: scorecard_publish_with_run_step -- 20 day(s) old [STALE]",
    "type": "CSA001",
    "file": "scorecard-enforcer.yml",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code-scanning alert hypatia/workflow_audit/scorecard_publish_with_run_step (high) at scorecard-enforcer.yml is 20 days old (threshold: 7 days) -- overdue for remediation",
    "type": "CSA003",
    "file": "scorecard-enforcer.yml",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.