From 5147abb0a2b52e393dac4752f4bedab30a7eda2c Mon Sep 17 00:00:00 2001
From: Mehdi <mehdi@blagui.com>
Date: Tue, 10 Feb 2026 06:14:55 +0000
Subject: [PATCH 1/4] docs: add kanban backlog card for poutine rollout

---
 docs/BACKLOG.md | 82 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 docs/BACKLOG.md

diff --git a/docs/BACKLOG.md b/docs/BACKLOG.md
new file mode 100644
index 0000000..a52f645
--- /dev/null
+++ b/docs/BACKLOG.md
@@ -0,0 +1,82 @@
+# Backlog Kanban
+
+## Ready
+
+### P0: Implement Poutine CI Security Scan and Triage Findings
+
+- Status: `READY`
+- Priority: `P0`
+- Type: `Security / CI`
+- Owner: `Unassigned`
+
+#### Context
+
+Public repositories in the org are moving toward required poutine workflow enforcement. `ai-code-fusion` should implement poutine scanning now so future org-level enforcement does not break CI.
+
+#### Outcome
+
+Add a repository workflow that runs poutine against GitHub Actions configurations, uploads SARIF to code scanning, and leaves the repository with actionable findings fixed or narrowly acknowledged.
+
+#### Implementation Instructions
+
+1. Create `.github/workflows/poutine.yml`.
+2. Configure triggers:
+   - `pull_request` on `main`
+   - `push` on `main`
+   - `workflow_dispatch`
+   - weekly schedule (for example Monday 05:00 UTC)
+3. Set least-privilege permissions:
+   - workflow-level: `contents: read`
+   - job-level: `contents: read`, `security-events: write`
+4. Add one `poutine` job on `ubuntu-latest`.
+5. Implement steps:
+   - checkout with pinned SHA (`actions/checkout`)
+   - run `boostsecurityio/poutine-action` pinned to immutable commit SHA
+     - `format: sarif`
+     - `output: results.sarif`
+   - upload SARIF with pinned `github/codeql-action/upload-sarif`
+     - `sarif_file: results.sarif`
+   - upload `results.sarif` as artifact (14-day retention)
+6. Do not set `continue-on-error` for the poutine scan step.
+7. Triage findings in `.github/workflows/*.yml`:
+   - fix real issues directly
+   - keep actions pinned to immutable SHAs
+   - avoid self-hosted runners for PR-triggered workflows in this public repo
+8. If a finding is non-actionable, add `.poutine.yml` with minimal skip rules and explicit rationale comments. Keep skips path-scoped where possible.
+9. Update `docs/DEVELOPMENT.md` with a short CI/security note about the new poutine workflow.
+
+#### Constraints
+
+- Do not weaken existing security workflows:
+  - `.github/workflows/codeql.yml`
+  - `.github/workflows/dependency-review.yml`
+  - `.github/workflows/qa-matrix.yml`
+  - `.github/workflows/release.yml`
+  - `.github/workflows/sbom.yml`
+  - `.github/workflows/secrets-gate.yml`
+  - `.github/workflows/sonarcloud.yml`
+- Keep existing pinned-action security posture.
+- No unrelated refactors.
+
+#### Acceptance Criteria
+
+1. `.github/workflows/poutine.yml` runs successfully on PR and push to `main`.
+2. SARIF is uploaded successfully and visible in GitHub code scanning.
+3. Poutine workflow is green on `main`.
+4. Any `.poutine.yml` skip has explicit rationale and narrow scope.
+5. Existing checks remain green.
+
+#### Verification Commands
+
+```bash
+npm run lint
+npm test -- --runInBand
+```
+
+## In Progress
+
+- None.
+
+## Done
+
+- None.

From 508f6aef52b5f6a48f557acd32660edd33533265 Mon Sep 17 00:00:00 2001
From: Mehdi <mehdi@blagui.com>
Date: Tue, 10 Feb 2026 06:23:33 +0000
Subject: [PATCH 2/4] ci: add poutine security scan workflow

---
 .github/workflows/poutine.yml | 48 +++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 .github/workflows/poutine.yml

diff --git a/.github/workflows/poutine.yml b/.github/workflows/poutine.yml
new file mode 100644
index 0000000..5ae6df6
--- /dev/null
+++ b/.github/workflows/poutine.yml
@@ -0,0 +1,48 @@
+name: Poutine CI Workflow Security
+
+on:
+  pull_request:
+    branches: ['main']
+  push:
+    branches: ['main']
+  workflow_dispatch:
+  schedule:
+    - cron: '0 5 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  poutine:
+    name: poutine
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Run poutine scan
+        uses: boostsecurityio/poutine-action@2182d43cbb4088c750e12f48713d084ae273ed3f # v0.15.2
+        with:
+          format: sarif
+          output: results.sarif
+
+      - name: Upload poutine SARIF
+        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2
+        with:
+          sarif_file: results.sarif
+          category: /tool:poutine
+
+      - name: Upload poutine artifact
+        if: always()
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
+        with:
+          name: poutine-sarif
+          path: results.sarif
+          if-no-files-found: error
+          retention-days: 14

From 857f057fa53ce8cee97f7a2104e957a2d7883e24 Mon Sep 17 00:00:00 2001
From: Mehdi <mehdi@blagui.com>
Date: Tue, 10 Feb 2026 06:24:39 +0000
Subject: [PATCH 3/4] chore: drop backlog doc from poutine PR

---
 docs/BACKLOG.md | 82 -------------------------------------------------
 1 file changed, 82 deletions(-)
 delete mode 100644 docs/BACKLOG.md

diff --git a/docs/BACKLOG.md b/docs/BACKLOG.md
deleted file mode 100644
index a52f645..0000000
--- a/docs/BACKLOG.md
+++ /dev/null
@@ -1,82 +0,0 @@
-# Backlog Kanban
-
-## Ready
-
-### P0: Implement Poutine CI Security Scan and Triage Findings
-
-- Status: `READY`
-- Priority: `P0`
-- Type: `Security / CI`
-- Owner: `Unassigned`
-
-#### Context
-
-Public repositories in the org are moving toward required poutine workflow enforcement. `ai-code-fusion` should implement poutine scanning now so future org-level enforcement does not break CI.
-
-#### Outcome
-
-Add a repository workflow that runs poutine against GitHub Actions configurations, uploads SARIF to code scanning, and leaves the repository with actionable findings fixed or narrowly acknowledged.
-
-#### Implementation Instructions
-
-1. Create `.github/workflows/poutine.yml`.
-2. Configure triggers:
-   - `pull_request` on `main`
-   - `push` on `main`
-   - `workflow_dispatch`
-   - weekly schedule (for example Monday 05:00 UTC)
-3. Set least-privilege permissions:
-   - workflow-level: `contents: read`
-   - job-level: `contents: read`, `security-events: write`
-4. Add one `poutine` job on `ubuntu-latest`.
-5. Implement steps:
-   - checkout with pinned SHA (`actions/checkout`)
-   - run `boostsecurityio/poutine-action` pinned to immutable commit SHA
-     - `format: sarif`
-     - `output: results.sarif`
-   - upload SARIF with pinned `github/codeql-action/upload-sarif`
-     - `sarif_file: results.sarif`
-   - upload `results.sarif` as artifact (14-day retention)
-6. Do not set `continue-on-error` for the poutine scan step.
-7. Triage findings in `.github/workflows/*.yml`:
-   - fix real issues directly
-   - keep actions pinned to immutable SHAs
-   - avoid self-hosted runners for PR-triggered workflows in this public repo
-8. If a finding is non-actionable, add `.poutine.yml` with minimal skip rules and explicit rationale comments. Keep skips path-scoped where possible.
-9. Update `docs/DEVELOPMENT.md` with a short CI/security note about the new poutine workflow.
-
-#### Constraints
-
-- Do not weaken existing security workflows:
-  - `.github/workflows/codeql.yml`
-  - `.github/workflows/dependency-review.yml`
-  - `.github/workflows/qa-matrix.yml`
-  - `.github/workflows/release.yml`
-  - `.github/workflows/sbom.yml`
-  - `.github/workflows/secrets-gate.yml`
-  - `.github/workflows/sonarcloud.yml`
-- Keep existing pinned-action security posture.
-- No unrelated refactors.
-
-#### Acceptance Criteria
-
-1. `.github/workflows/poutine.yml` runs successfully on PR and push to `main`.
-2. SARIF is uploaded successfully and visible in GitHub code scanning.
-3. Poutine workflow is green on `main`.
-4. Any `.poutine.yml` skip has explicit rationale and narrow scope.
-5. Existing checks remain green.
-
-#### Verification Commands
-
-```bash
-npm run lint
-npm test -- --runInBand
-```
-
-## In Progress
-
-- None.
-
-## Done
-
-- None.

From d47098e6e657648518159c38702f29d7ac1aac79 Mon Sep 17 00:00:00 2001
From: Mehdi <mehdi@blagui.com>
Date: Tue, 10 Feb 2026 06:30:20 +0000
Subject: [PATCH 4/4] ci: fix poutine sarif upload and zizmor mismatch

---
 .github/workflows/poutine.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/poutine.yml b/.github/workflows/poutine.yml
index 5ae6df6..5ff4970 100644
--- a/.github/workflows/poutine.yml
+++ b/.github/workflows/poutine.yml
@@ -27,11 +27,16 @@ jobs:
           persist-credentials: false
 
       - name: Run poutine scan
-        uses: boostsecurityio/poutine-action@2182d43cbb4088c750e12f48713d084ae273ed3f # v0.15.2
+        uses: boostsecurityio/poutine-action@2182d43cbb4088c750e12f48713d084ae273ed3f
         with:
           format: sarif
           output: results.sarif
 
+      - name: Normalize poutine SARIF for GitHub upload
+        run: |
+          jq 'del(.runs[]?.tool.driver.supportedTaxonomies)' results.sarif > results.cleaned.sarif
+          mv results.cleaned.sarif results.sarif
+
       - name: Upload poutine SARIF
         uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2
         with: