diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
deleted file mode 100644
index 3ff7430..0000000
--- a/.github/workflows/codeql.yml
+++ /dev/null
@@ -1,61 +0,0 @@
-name: CodeQL Analysis
-
-on:
-  push:
-    branches: [master]
-  pull_request:
-    branches: [master]
-  schedule:
-    # Run weekly on Monday at 06:17 UTC — off-peak to avoid :00/:30 congestion
-    - cron: "17 6 * * 1"
-
-concurrency:
-  group: codeql-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
-jobs:
-  analyze:
-    name: CodeQL (${{ matrix.language }})
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [javascript-typescript]
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: ${{ matrix.language }}
-          # Use extended security queries for deeper analysis
-          queries: security-extended,security-and-quality
-          config: |
-            paths:
-              - apps/
-              - libs/
-            paths-ignore:
-              - node_modules/
-              - "**/dist/"
-              - "**/*.spec.ts"
-              - "**/*.test.ts"
-              - "**/__tests__/"
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-        with:
-          category: "/language:${{ matrix.language }}"
-          # SARIF results are automatically uploaded to GitHub Security tab
-          upload: always
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 896d814..dff6db8 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -15,7 +15,6 @@ concurrency:
 
 permissions:
   contents: read
-  security-events: write
 
 jobs:
   # ── Dependency Audit ─────────────────────────────────────────────
@@ -96,24 +95,6 @@ jobs:
           cache-from: type=gha,scope=api-scan
           cache-to: type=gha,mode=max,scope=api-scan
 
-      - name: Run Trivy vulnerability scanner (API)
-        uses: aquasecurity/trivy-action@v0.36.0
-        with:
-          image-ref: "goodgo-api:scan"
-          format: "sarif"
-          output: "trivy-api-results.sarif"
-          severity: "CRITICAL,HIGH"
-          # Ignore unfixed vulns to reduce noise
-          ignore-unfixed: true
-
-      - name: Upload Trivy SARIF (API)
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        continue-on-error: true
-        with:
-          sarif_file: "trivy-api-results.sarif"
-          category: "trivy-api"
-
       - name: Trivy table output (API)
         uses: aquasecurity/trivy-action@v0.36.0
         with:
@@ -145,23 +126,6 @@ jobs:
           cache-from: type=gha,scope=web-scan
           cache-to: type=gha,mode=max,scope=web-scan
 
-      - name: Run Trivy vulnerability scanner (Web)
-        uses: aquasecurity/trivy-action@v0.36.0
-        with:
-          image-ref: "goodgo-web:scan"
-          format: "sarif"
-          output: "trivy-web-results.sarif"
-          severity: "CRITICAL,HIGH"
-          ignore-unfixed: true
-
-      - name: Upload Trivy SARIF (Web)
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        continue-on-error: true
-        with:
-          sarif_file: "trivy-web-results.sarif"
-          category: "trivy-web"
-
       - name: Trivy table output (Web)
         uses: aquasecurity/trivy-action@v0.36.0
         with:
@@ -193,23 +157,6 @@ jobs:
           cache-from: type=gha,scope=ai-scan
           cache-to: type=gha,mode=max,scope=ai-scan
 
-      - name: Run Trivy vulnerability scanner (AI)
-        uses: aquasecurity/trivy-action@v0.36.0
-        with:
-          image-ref: "goodgo-ai:scan"
-          format: "sarif"
-          output: "trivy-ai-results.sarif"
-          severity: "CRITICAL,HIGH"
-          ignore-unfixed: true
-
-      - name: Upload Trivy SARIF (AI)
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        continue-on-error: true
-        with:
-          sarif_file: "trivy-ai-results.sarif"
-          category: "trivy-ai"
-
       - name: Trivy table output (AI)
         uses: aquasecurity/trivy-action@v0.36.0
         with:
@@ -228,25 +175,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Run Trivy filesystem scanner
-        uses: aquasecurity/trivy-action@v0.36.0
-        with:
-          scan-type: "fs"
-          scan-ref: "."
-          format: "sarif"
-          output: "trivy-fs-results.sarif"
-          severity: "CRITICAL,HIGH"
-          ignore-unfixed: true
-          scanners: "vuln,secret,misconfig"
-
-      - name: Upload Trivy SARIF (filesystem)
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        continue-on-error: true
-        with:
-          sarif_file: "trivy-fs-results.sarif"
-          category: "trivy-filesystem"
-
       - name: Trivy filesystem table output
         uses: aquasecurity/trivy-action@v0.36.0
         with: