fix(bootstrap): R4-1 docs + CPE-collision suppressions (RAN-47)

Reviewer round-4 finding on `fdac5c8` plus CI build-failure analysis:

R4-1 (Reviewer blocker): `shared/runbooks/engineering-standards.md` §7.1
deploy-pipeline table said GA release was triggered by `vX.Y.Z` tag push
while every other doc (release-java.yml, release.md, CLAUDE.md) says
`workflow_dispatch`-only. Rewrote the table with a `Trigger` column and
added a clarifying paragraph: tags are an *output* of the GA workflow,
not a trigger. This eliminates the docs contradiction.

CI failure on `fdac5c8`: dep-check correctly flagged High/Critical CVEs
(the gate works as designed). Of the 4 jar/CVE clusters that failed the
CVSS>=7 threshold, one is a confirmed CPE-vendor collision and three are
real 2026-published CVEs that require dep upgrades.

Added `dependency-check-suppressions.xml` (referenced from pom.xml via
<suppressionFiles>) covering ONLY the CPE-collision false positives:

  1. spring-ai-starter-mcp-server-webmvc 2.0.0-M3 incorrectly matched
     against cpe:2.3:a:vmware:server:2.0.0 (an EOL VMware hypervisor)
     and the non-existent cpe:2.3:a:vmware:spring_ai. The 16 CVEs are
     2009/2010 VMware Server vulns; not applicable to a Spring Boot
     starter. CPE collision only — suppressed with TechLead sign-off.

  2. spring-boot-neo4j 4.0.5 (Spring Boot autoconfiguration starter)
     incorrectly matched against cpe:2.3:a:neo4j:neo4j:4.0.5. The
     starter ships no Neo4j server code; Neo4j-the-database CVEs apply
     to org.neo4j:* artifacts, not to the Spring Boot bridge.

The remaining 3 real CVE clusters (CVE-2026-25087 on Apache Arrow 18.3.0,
CVE-2026-33186 on gRPC 1.78.0, CVE-2026-5795 on Jetty 12.x) are NOT
suppressed. Per security.md §5, High/Critical = fix-immediately, not
document-non-exploitability. These need dep upgrades that are outside
the documented scope of RAN-46 ("wire the gate"); flagging to CEO for
scope ruling. The gate is functioning correctly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Paperclip <noreply@paperclip.ing>

Author: 3 people

dependency-check-suppressions.xml

@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  OWASP Dependency-Check suppressions for codeiq.
+
+  Policy (per shared/runbooks/engineering-standards.md §5 + ~/.claude/rules/security.md):
+    - High/Critical CVEs MUST be fixed, not suppressed. The only allowed
+      suppressions in this file are CPE-MATCH false positives — i.e., the
+      vulnerability is on a different product whose CPE happens to overlap.
+    - Each entry MUST include: justification, the wrong CPE that triggered
+      the match, the CVE list it covers, and TechLead sign-off (initials +
+      date). No silent suppressions.
+
+  This file is referenced from `pom.xml` via the dependency-check-maven
+  `<suppressionFiles>` configuration.
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+    <!--
+      Spring AI MCP Server WebMVC (org.springframework.ai:spring-ai-starter-mcp-server-webmvc)
+      is being matched against `cpe:2.3:a:vmware:server:2.0.0` (VMware Server, an
+      EOL hypervisor product) and `cpe:2.3:a:vmware:spring_ai:2.0.0` (a CPE
+      that does not correspond to a real product line). The matched CVEs are
+      all from 2009-2010 against VMware Server / ESX, none of which apply to a
+      Spring Boot starter JAR. This is a pure CPE-vendor collision triggered
+      by version pattern `2.0.0:m3` matching VMware Server's `2.0.0` CPE.
+
+      Justification: not-applicable. Spring AI 2.0.0-M3 is a 2025 Spring AI
+      milestone artifact, not VMware Server 2.0.0 (released 2008-09).
+      Sign-off: Amit Kumar (TechLead) 2026-04-25.
+    -->
+    <suppress>
+        <notes><![CDATA[
+            Spring AI MCP Server starter incorrectly matched against
+            cpe:2.3:a:vmware:server (VMware Server EOL hypervisor) due to
+            version-string overlap. CVEs are 2009/2010 VMware Server vulns,
+            not applicable to Spring AI. CPE collision only.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/spring-ai-.*@.*$</packageUrl>
+        <cpe>cpe:/a:vmware:server</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+            Spring AI MCP Server starter incorrectly matched against
+            cpe:2.3:a:vmware:spring_ai which is not a real CPE product line.
+            CPE collision only.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/spring-ai-.*@.*$</packageUrl>
+        <cpe>cpe:/a:vmware:spring_ai</cpe>
+    </suppress>
+
+    <!--
+      spring-boot-neo4j (org.springframework.boot:spring-boot-neo4j) is the
+      Spring Boot autoconfiguration starter for Neo4j; it is NOT the Neo4j
+      database itself. Dependency-check matches its version (4.0.5) against
+      cpe:2.3:a:neo4j:neo4j:4.0.5. Neo4j-the-database CVEs apply to the Neo4j
+      server / driver artifacts (org.neo4j:* and org.neo4j.driver:*), not to
+      the Spring Boot starter.
+
+      Justification: not-applicable. spring-boot-neo4j is a configuration
+      bridge; it ships no Neo4j server code.
+      Sign-off: Amit Kumar (TechLead) 2026-04-25.
+    -->
+    <suppress>
+        <notes><![CDATA[
+            Spring Boot Neo4j starter incorrectly matched against
+            cpe:2.3:a:neo4j:neo4j. Starter contains no Neo4j server code.
+            CPE collision only.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-neo4j@.*$</packageUrl>
+        <cpe>cpe:/a:neo4j:neo4j</cpe>
+    </suppress>
+
+</suppressions>

pom.xml

@@ -427,6 +427,14 @@
                          once the cache is warm. RAN-42 tracks the secret
                          provisioning + a dedicated nightly NVD-refresh job. -->
                     <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
+                    <!-- CPE-collision false-positive suppressions ONLY.
+                         High/Critical CVEs MUST be fixed, not suppressed
+                         (security.md §5). Each entry is justified, scoped
+                         tightly to the offending CPE, and TechLead-signed.
+                         See file header for the policy. -->
+                    <suppressionFiles>
+                        <suppressionFile>${project.basedir}/dependency-check-suppressions.xml</suppressionFile>
+                    </suppressionFiles>
                 </configuration>
                 <executions>
                     <!-- Bind dependency-check:check into the verify phase so

shared/runbooks/engineering-standards.md

@@ -104,10 +104,12 @@ Rationale (per @CEO's RAN-46 ruling):
 
 The pipeline:
 
-| Cadence | Workflow | Artifact destination |
-|---|---|---|
-| `workflow_dispatch` (beta) | `.github/workflows/beta-java.yml` | Sonatype Central beta + GitHub pre-release |
-| `vX.Y.Z` tag push (GA) | `.github/workflows/release-java.yml` | Sonatype Central GA + GitHub Release |
+| Cadence | Workflow | Trigger | Artifact destination |
+|---|---|---|---|
+| Beta | `.github/workflows/beta-java.yml` | `workflow_dispatch` (manual) | Sonatype Central beta + GitHub pre-release |
+| GA | `.github/workflows/release-java.yml` | `workflow_dispatch` (manual, with `version` input) | Sonatype Central GA + GitHub Release |
+
+Both workflows are `workflow_dispatch`-only — there is no tag-push trigger and no automatic release on merge. A GA cut: the workflow builds a GPG-signed release commit on a detached HEAD, deploys from that exact tree, then creates and pushes a GPG-signed annotated `vX.Y.Z` tag pointing at the release commit plus a GitHub Release. Tags are an *output* of the GA workflow, not a trigger. See [`release.md`](release.md) §3 for the full sequence.
 
 Hello-world / pipeline proof: `git tag -l 'v0.0.1-beta.*' | wc -l` is non-zero (47+ beta tags as of the AC #10 ruling) and `gh release list` shows the corresponding GitHub pre-releases. AC #10 is satisfied by the existing pipeline; no new deploy scaffold is required.