hyperpolymath · hyperpolymath · May 26, 2026 · May 26, 2026
diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml
@@ -0,0 +1,96 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# codeql-reusable.yml — Reusable CodeQL security-analysis workflow.
+#
+# Consolidates the per-repo `codeql.yml` workflow (estate-wide: 263
+# deployments, 69 unique blob SHAs, 26% structural drift). Language
+# matrix distribution across the estate:
+#
+#   javascript-typescript        223 (84.8%)
+#   actions                       22  (8.4%)
+#   NONE (no matrix declared)      6  (2.3%)
+#   rust                           3  (1.1%)
+#   javascript-typescript,rust     3  (1.1%)
+#   actions,javascript-typescript  3  (1.1%)
+#   actions,javascript-typescript,rust 2 (0.8%)
+#   actions,rust                   1  (0.4%)
+#
+# 100% of estate variants currently use `build-mode: none`.
+#
+# Design: single-language single-job reusable. Multi-language wrappers
+# invoke the reusable once per language (parallel-by-construction).
+# This avoids the matrix-as-input awkwardness while preserving per-
+# language SARIF separation via the `category` step.
+#
+# Caller examples:
+#
+#   # Single-language (~85% of estate):
+#   jobs:
+#     codeql:
+#       uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha>
+#       # defaults to language=javascript-typescript, build-mode=none
+#
+#   # Rust-only:
+#   jobs:
+#     codeql:
+#       uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha>
+#       with:
+#         language: rust
+#
+#   # Multi-language (JS/TS + actions + Rust):
+#   jobs:
+#     codeql-js:
+#       uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha>
+#     codeql-actions:
+#       uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha>
+#       with:
+#         language: actions
+#     codeql-rust:
+#       uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha>
+#       with:
+#         language: rust
+
+name: CodeQL Security Analysis (reusable)
+
+on:
+  workflow_call:
+    inputs:
+      language:
+        description: 'CodeQL language identifier (e.g. javascript-typescript, rust, actions). Single language per call; multi-language wrappers invoke the reusable once per language.'
+        type: string
+        required: false
+        default: javascript-typescript
+      build-mode:
+        description: 'CodeQL build mode (none|autobuild|manual). 100% of estate currently uses "none"; override only for compiled languages that require explicit build.'
+        type: string
+        required: false
+        default: none
+      runs-on:
+        description: 'Runner label for the analyze job'
+        type: string
+        required: false
+        default: ubuntu-latest
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ${{ inputs.runs-on }}
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
+        with:
+          languages: ${{ inputs.language }}
+          build-mode: ${{ inputs.build-mode }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
+        with:
+          category: "/language:${{ inputs.language }}"