[codex] Apply audit remediation

[Pigbibi]

Summary

• apply the 2026-06-10 audit remediation items
• tighten GitHub workflow permissions, job timeouts, and scheduled/manual concurrency where applicable
• add focused characterization or governance checks where this repository has runtime-facing changes

Validation

• targeted local tests and lint checks were run before publishing
• workflow governance scan passed across the remediation scope
• git diff --check passed across the remediation scope

See local audit report: QuantStrategyLab-review-2026-06-10.md.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5015fc9bf1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Raise deploy job timeout above wait loop

When ENABLE_GITHUB_ENV_SYNC is true, this same job can enter the existing “Wait for Cloud Run deployment of current commit” step, which sets deadline=$((SECONDS + 1800)) and sleeps until another deployment lands the current SHA. The new 20-minute job timeout will kill the workflow before that 30-minute wait can complete, and it also has to cover checkout, dependency installation, auth, and any optional image build first, so legitimate env-sync runs can now fail before their own timeout/error handling is reached.

Useful? React with 👍 / 👎.