[codex] Apply audit remediation

[Pigbibi]

Summary

• apply the 2026-06-10 audit remediation items
• tighten GitHub workflow permissions, job timeouts, and scheduled/manual concurrency where applicable
• add focused characterization or governance checks where this repository has runtime-facing changes

Validation

• targeted local tests and lint checks were run before publishing
• workflow governance scan passed across the remediation scope
• git diff --check passed across the remediation scope

See local audit report: QuantStrategyLab-review-2026-06-10.md.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 994c938ac8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Move timeout-minutes out of the runs-on block

In this workflow, timeout-minutes was inserted between runs-on: and the runner-label list, so the YAML structure is invalid: runs-on has no value and the subsequent - self-hosted entries are indented under a scalar key. This will prevent the monthly audit workflow from being parsed/loaded by GitHub Actions; place timeout-minutes as a sibling after the complete runs-on list.

Useful? React with 👍 / 👎.