nikolay-e
diff --git a/‎.github/workflows/cd.yml‎
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/cd.yml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 12 additions & 41 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 12 additions & 41 deletions
diff --git a/‎.gitleaks.toml‎
Lines changed: 9 additions & 0 deletions b/‎.gitleaks.toml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 1 addition & 19 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 1 addition & 19 deletions
@@ -1,8 +1,7 @@
 # .github/workflows/cd.yml
 name: treemapper CD
 
-permissions:
-  contents: write
+permissions: {}
 
 'on':
   workflow_dispatch:
@@ -316,6 +315,8 @@ jobs:
       (needs.publish-to-pypi.result == 'success' ||
        needs.publish-to-pypi.result == 'skipped')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Download git bundle
         uses: actions/download-artifact@v7
 
@@ -1,10 +1,6 @@
 # .github/workflows/ci.yml
 name: treemapper CI
 
-permissions:
-  contents: read
-  security-events: write  # For CodeQL
-
 'on':
   pull_request:
     branches: ['**']
@@ -19,6 +15,8 @@ jobs:
   pre-commit:
     name: Pre-commit hooks
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
 
@@ -47,6 +45,8 @@ jobs:
   lint-type-check:
     name: Lint & Type Check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout Code
         uses: actions/checkout@v6
@@ -90,6 +90,8 @@ jobs:
         python-version: ['3.10', '3.11', '3.12', '3.13']
 
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout Code
@@ -144,50 +146,15 @@ jobs:
             test-results.xml
           retention-days: 1
 
-  # ============================================================================
-  # PyPy Compatibility Testing
-  # ============================================================================
-  test-pypy:
-    needs: [pre-commit, lint-type-check]
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: [pypy-3.10, pypy-3.11]
-
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v6
-
-      - name: Set up PyPy ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Cache pip Dependencies
-        uses: actions/cache@v5
-        with:
-          path: ~/.cache/pip
-          key: pypy-${{ matrix.python-version }}-pip-${{ hashFiles('**/pyproject.toml') }}
-          restore-keys: |
-            pypy-${{ matrix.python-version }}-pip-
-
-      - name: Install Dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -e .
-          pip install pytest
-
-      - name: Run Tests
-        run: pytest -v
-
   # ============================================================================
   # Mutation Testing (test effectiveness validation)
   # Evidence: Mutation score correlates with real fault detection
   # ============================================================================
   mutation-testing:
     name: Mutation Testing
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
 
     steps:
@@ -218,6 +185,8 @@ jobs:
   complexity-checks:
     name: Complexity & Maintainability Analysis
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@v6
@@ -254,6 +223,8 @@ jobs:
   architecture-checks:
     name: Architecture & Import Contracts
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@v6
 
@@ -0,0 +1,9 @@
+[extend]
+useDefault = true
+
+[allowlist]
+paths = [
+    '''\.secrets\.baseline''',
+    '''tests/cases/diff/kubernetes/k8s_406_secret_reference\.yaml''',
+    '''tests/cases/diff/kubernetes/k8s_418_image_pull_secret\.yaml''',
+]
@@ -29,7 +29,7 @@ repos:
       - id: debug-statements
       - id: name-tests-test
         args: ["--pytest-test-first"]
-        exclude: ^tests/(utils|conftest)\.py$
+        exclude: ^tests/(utils|conftest|framework/.*)\.py$
       - id: fix-byte-order-marker
       - id: detect-private-key
 
@@ -100,24 +100,6 @@ repos:
   # ============================================================================
   # SECURITY & VULNERABILITY DETECTION
   # ============================================================================
-  - repo: https://github.com/trailofbits/pip-audit
-    rev: v2.9.0
-    hooks:
-      - id: pip-audit
-        name: pip-audit (CVE detection in dependencies)
-        args:
-          [
-            "--desc",
-            "on",
-            "--skip-editable",
-            "--ignore-vuln",
-            "GHSA-4xh5-x5gv-qwph",
-            "--ignore-vuln",
-            "GHSA-gm62-xv2j-4w53",
-            "--ignore-vuln",
-            "GHSA-2xpw-w6gg-jr37",
-          ]
-
   - repo: https://github.com/Yelp/detect-secrets
     rev: v1.5.0
     hooks: