[codex] Apply audit remediation

[Pigbibi]

Summary

• apply the 2026-06-10 audit remediation items
• tighten GitHub workflow permissions, job timeouts, and scheduled/manual concurrency where applicable
• add focused characterization or governance checks where this repository has runtime-facing changes

Validation

• targeted local tests and lint checks were run before publishing
• workflow governance scan passed across the remediation scope
• git diff --check passed across the remediation scope

See local audit report: QuantStrategyLab-review-2026-06-10.md.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4b50302e60

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Raise the deploy job timeout above its wait budget

When ENABLE_GITHUB_ENV_SYNC=true, this job can enter the Wait for Cloud Run deployment of current commit loop, which intentionally waits until deadline=$((SECONDS + 1800)) before failing. The new 20-minute job timeout is shorter than that 30-minute wait, and it also has to cover checkout/auth/build/push/deploy before the loop, so a slow Cloud Run rollout will be killed by GitHub Actions before the workflow's own timeout/error handling can complete.

Useful? React with 👍 / 👎.