…pt (empirical proof PASSED) (#109)

* docs(security): GAR-491 — codeql suppressions ledger + reapply script

Establishes the suppression convention for Rust CodeQL alerts in GarraRUST.
Rust CodeQL still does NOT support inline `// codeql[...]` comments
(github/codeql#21638 open without merge), so the project adopts a versioned
ledger + REST API dismissal mechanism per amendment-driven plan §15.

Deliverables:
  * docs/security/codeql-suppressions.md — human-auditable ledger (6 rows).
  * docs/security/codeql-suppressions.json — machine-readable source
    (schema 1.0.0) consumed by the reapply script.
  * scripts/security/codeql-reapply-dismissals.sh — POSIX bash with
    --dry-run/--apply/--check-md/--alert flags. Fail-closed: validates
    rule_id, path, and start_line against current alert before any PATCH;
    exit 2 on mismatch (manual re-audit), exit 3 on stale entry, exit 4
    on MD/JSON drift. No automatic schedule (per amendment A8).
  * docs/security/codeql-setup.md — cross-link to the new ledger; replaces
    the "TBD suppression syntax" placeholder from PR #106.

Empirical-proof status (in flight):
  * Alert #43 (rust/hard-coded-cryptographic-value @ credentials.rs:49,
    `vec![0u8; SALT_LEN]` immediately overwritten by SystemRandom::fill)
    dismissed via gh api PATCH at 2026-05-01T12:33:36Z with
    reason="false positive". State confirmed dismissed.
  * Pending: CodeQL re-run on this branch must preserve the dismissed
    state. If it does, apply remaining 5 dismissals (#40, #41, #42, #44,
    #45). If it does NOT, abort and open new sub-issue (no global
    query-filter fallback per amendment A3).

Operational rules (ledger §3):
  * No bulk suppression — each row has per-line justification.
  * 90-day audit expiration (2026-08-01) forces re-triage.
  * Fail-closed reaplicação: any drift between live alert and ledger
    surfaces to human, never auto-fixes.
  * No global rule silencing as fallback — abort instead.

Linear: GAR-491 (Wave 2 of GAR-486 umbrella). Status: In Progress.
Plan file: ~/.claude/plans/voc-est-no-repo-inherited-robin.md §15-16.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(security): GAR-491 — empirical proof PASSED, all 6 alerts dismissed

Empirical proof of the REST-dismissal + versioned-ledger mechanism:
the dismissal of alert #43 (credentials.rs:49, false positive) at
12:33:36Z PERSISTED across the CodeQL re-run on this branch (run
25214464719 at 12:35:44Z, success). `state=dismissed` and
`dismissed_at` were unchanged when re-queried at ~12:43Z.

With the mechanism proven, the batch was applied:
  * 5 remaining alerts (#40, #41, #42, #44, #45) dismissed via
    `bash scripts/security/codeql-reapply-dismissals.sh --apply`
  * Final state of all 6 verified — all `{"state":"dismissed"}`.

Script bugfix: the idempotent skip check originally compared the
ledger snake_case `dismissed_reason` against the API's space-separated
form, causing HTTP 400 "Alert is already dismissed." on re-runs. Fixed
to compare against the translated `api_reason` (with spaces). A second
`--apply` invocation now reports `6 skipped, 0 applied, 0 errors` —
proving idempotency.

Ledger §5 updated with the run IDs, timestamps, and final verification
results. Section §6 (failure handling) was NOT exercised because the
proof passed.

Linear: GAR-491 — empirical-proof gate cleared. PR ready to mark for
review (next commit / `gh pr ready`).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>