[codex] Apply audit remediation

[Pigbibi]

Summary

• apply the 2026-06-10 audit remediation items
• tighten GitHub workflow permissions, job timeouts, and scheduled/manual concurrency where applicable
• add focused characterization or governance checks where this repository has runtime-facing changes

Validation

• targeted local tests and lint checks were run before publishing
• workflow governance scan passed across the remediation scope
• git diff --check passed across the remediation scope

See local audit report: QuantStrategyLab-review-2026-06-10.md.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8675af6205

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid timing out degraded market-data fallback runs

When this scheduled/manual workflow runs with MARKET_DATA_PROXY_URLS or a proxy pool containing even one unreachable proxy, the new 45-minute job cap can kill the run before it writes any advisory artifacts. The build keeps network market confirmation enabled with the default --market-max-symbols 80, and fetch_yahoo_bars_with_fallback tries the direct Yahoo request plus each proxy for every symbol with a 20s timeout, so a direct timeout plus one dead proxy is already about 80 * 2 * 20s (>53 minutes) before report generation and fallback/cache behavior can complete. Please either bound the proxy/symbol inputs in this workflow or set the job timeout above the worst bounded path.

Useful? React with 👍 / 👎.