fix(ci): CodeQL language-aware detection

[hyperpolymath]

Canonical-template gap (verisimiser#102 cascade). Hard-coded language: javascript-typescript made CodeQL exit 'no source / configuration error' on every non-JS/TS repo — a permanent false-red analyze on most repos' main. Replace with a detect job that reads the repo's actual languages and only analyses CodeQL-supported, buildless-safe ones (rust, javascript-typescript, python, ruby, go); analyze is skipped (neutral) when none apply. Updated 14 codeql.yml copies.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

[github-actions]

🔍 Hypatia Security Scan

Findings: 191 issues detected

Severity	Count
🔴 Critical	14
🟠 High	110
🟡 Medium	67

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/reposystem/reposystem/tools/rsr-certified/extensions/vscode/src/extension.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
    "type": "js_innerhtml",
    "file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/browser-extension/scripts/popup.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
    "type": "js_innerhtml",
    "file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/browser-extension/scripts/content.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (4 occurrences, CWE-79)",
    "type": "js_innerhtml",
    "file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/dashboard/js/dashboard.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
    "type": "js_innerhtml",
    "file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/annotation-layer/annotations.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (7 occurrences, CWE-79)",
    "type": "js_innerhtml",
    "file": "/home/runner/work/reposystem/reposystem/web/app.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "HTTP URL in code -- use HTTPS for non-localhost (16 occurrences, CWE-319)",
    "type": "js_http_url_in_code",
    "file": "/home/runner/work/reposystem/reposystem/web/app.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "HTTP URL in code -- use HTTPS for non-localhost (1 occurrences, CWE-319)",
    "type": "js_http_url_in_code",
    "file": "/home/runner/work/reposystem/reposystem/gui/lib/rescript-tea/src/tea_svg.res.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "HTTP URL in code -- use HTTPS for non-localhost (10 occurrences, CWE-319)",
    "type": "js_http_url_in_code",
    "file": "/home/runner/work/reposystem/reposystem/gui/lib/rescript-tea/src/tea_svg_attributes.res.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
    "type": "ncl_missing_spdx",
    "file": "/home/runner/work/reposystem/reposystem/scaffoldia/repo-slm-augmentor/ncl/lib/schema.ncl",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence