diff --git a/.coderabbit.yaml b/.coderabbit.yaml
index 8e95e319..4de38d5c 100644
--- a/.coderabbit.yaml
+++ b/.coderabbit.yaml
@@ -2,7 +2,7 @@
 # desloppify — Multi-language code quality scanner with advocacy extensions.
 # Meta: the quality scanner is reviewed by the quality scanner.
 language: en-US
-tone_instructions: "Direct and concise. Apply extra rigor — DRY violations and shallow abstractions here are especially ironic."
+tone_instructions: "Direct and concise. Flag actionable issues only. DRY violations here are especially ironic — apply extra rigor. Use movement terminology: campaign, investigation, coalition, farmed animal, slaughterhouse."
 
 reviews:
   profile: assertive
@@ -54,6 +54,9 @@ reviews:
       - name: "No speciesist idioms"
         mode: "error"
         instructions: "Fail on: 'livestock', 'master/slave', 'whitelist/blacklist', 'cattle vs pets', 'kill two birds', 'guinea pig' as test subject, 'farm' as industry euphemism."
+      - name: "No Tier 3 data committed"
+        mode: "error"
+        instructions: "Fail if files contain activist or whistleblower identities, legal strategy or privileged attorney communications, operational security protocols with specific implementation details, investigative footage or chain of custody records, activist PII combining name and contact info and advocacy role, NGO internal financials or strategy docs from partner organizations, or critical credentials."
 
   finishing_touches:
     unit_tests:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..dc302c12
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,42 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "17 4 * * 1"
+  workflow_dispatch:
+
+permissions:
+  security-events: write
+  packages: read
+  actions: read
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["python"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/desloppify.yml b/.github/workflows/desloppify.yml
new file mode 100644
index 00000000..9344917f
--- /dev/null
+++ b/.github/workflows/desloppify.yml
@@ -0,0 +1,72 @@
+name: Desloppify Quality Gate
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  quality:
+    name: Code Quality Gate (score >= 70)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: false
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Cache desloppify install
+        id: cache-desloppify
+        uses: actions/cache@v4
+        with:
+          path: /tmp/desloppify
+          key: desloppify-${{ runner.os }}-${{ hashFiles('.github/workflows/desloppify.yml') }}
+
+      - name: Clone desloppify
+        if: steps.cache-desloppify.outputs.cache-hit != 'true'
+        run: |
+          git clone --no-recurse-submodules https://github.com/Open-Paws/desloppify.git /tmp/desloppify
+
+      - name: Install desloppify
+        run: pip install "/tmp/desloppify[full]"
+
+      - name: Run quality gate
+        run: |
+          SCAN_PATH="."
+          THRESHOLD=70
+          SCAN_OUTPUT=$(desloppify scan --path "${SCAN_PATH}" --profile ci --no-badge 2>&1)
+          echo "${SCAN_OUTPUT}"
+          SCORE=$(echo "${SCAN_OUTPUT}" | grep -oP 'objective \K[\d.]+(?=/100)')
+          if [ -z "${SCORE}" ]; then
+            echo "ERROR: could not extract objective score from desloppify output"
+            exit 1
+          fi
+          echo "Objective score: ${SCORE}/100"
+          python3 -c "
+          score = float('${SCORE}')
+          threshold = ${THRESHOLD}
+          if score < threshold:
+              print(f'FAIL: objective score {score} is below the minimum {threshold}')
+              raise SystemExit(1)
+          print(f'PASS: objective score {score} >= {threshold}')
+          "
+          echo "## Desloppify Quality Gate" >> "${GITHUB_STEP_SUMMARY}"
+          echo "" >> "${GITHUB_STEP_SUMMARY}"
+          echo "| | |" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|---|---|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "| Objective score | **${SCORE}/100** |" >> "${GITHUB_STEP_SUMMARY}"
+          echo "| Threshold | ${THRESHOLD} |" >> "${GITHUB_STEP_SUMMARY}"
+          echo "| Scan path | \`${SCAN_PATH}\` |" >> "${GITHUB_STEP_SUMMARY}"
+          python3 -c "
+          score = float('${SCORE}')
+          result = 'PASS' if score >= ${THRESHOLD} else 'FAIL'
+          print(f'| Result | **{result}** |')
+          " >> "${GITHUB_STEP_SUMMARY}"