ci: add CodeQL and desloppify quality gate

[samtuckerdavis]

Adds CodeQL (Python, security-extended) and desloppify quality gate (threshold ≥ 70, scan path .) per org CI/CD standards. Tooling/plugin library classification. level-3 — new workflow files.

[coderabbitai]

Warning

Rate limit exceeded

@stuckvgn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 21 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 6 minutes and 21 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 418bc210-f75d-49f9-abfe-5111dc84f527

📥 Commits

Reviewing files that changed from the base of the PR and between 4aa174f and 537c9a4.

📒 Files selected for processing (3)

• .coderabbit.yaml
• .github/workflows/codeql.yml
• .github/workflows/desloppify.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/add-ci-gates

• 🛠️ fix NAV violations: Commit on current branch
• 🛠️ fix NAV violations: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Auto-Merge Gate Check — Blocked

PR labeled needs-human-review — one or more gates failed.

Failed Gates

• Classification label missing — PR needs wave0-auto or level-0 label
• PR author 'stuckvgn' is not a known agent bot
• CI checks not all green: Incomplete: ci-contracts, typecheck, tests-full, tests-core, package-smoke, arch-contracts, lint, Analyze (python), Code Quality Gate (score >= 70), check.

How to unblock

• Fix the failing gates and push a new commit — this workflow re-runs automatically.
• If CI is still running, wait for it to complete.
• If NAV config is absent, open a task to install the no-animal-violence suite.

Permanent block

• Add the human-gate label to permanently disable auto-merge for this PR.

Auto-Merge Gate Check — 2026-04-18T14:27:38.774Z