chore(bootstrap): RAN-46 engineering bootstrap (security, runbooks, OpenSSF wiring)

Lands the static side of the one-shot RAN-46 bootstrap. No code or build
changes — only governance + supply-chain artifacts the rest of the AC list
depends on.

Adds:
  - shared/runbooks/{release,rollback,first-time-setup,engineering-standards}.md
    (release.md is the gate referenced by the CEO bootstrap precondition for
     every downstream RAN-* product issue)
  - SECURITY.md  (private-disclosure contact, supported versions, scope)
  - AGENTS.md    (repo-root entry point pointing at CLAUDE.md and runbooks)
  - .bestpractices.json (OpenSSF Best Practices self-assessment skeleton —
                         project_id pending board registration per AC #8)
  - .github/dependabot.yml (Maven + GHA + npm, weekly grouped)
  - .github/workflows/codeql.yml + scorecard.yml (every action pinned by
                                                  commit SHA per Scorecard
                                                  Pinned-Dependencies)
  - scripts/setup-git-signed.sh (idempotent repo-local ssh-signing config)
  - README.md badge row: OpenSSF Scorecard + Best Practices placeholder
  - LICENSE: copyright "Amit Kumar" per AC #6

Verified locally:
  - git config --local user.signingkey resolves to ~/.ssh/id_ed25519.pub
  - git commit-tree -S succeeds and verify-commit reports a valid SSH sig
  - All GitHub Actions in new workflows pinned by 40-char commit SHA

Out of this slice (follow-up commits/PRs on this same branch):
  - jacoco 85% rule + dependency-check failBuildOnCVSS=7 in pom.xml
  - SHA-pinning of existing ci-java.yml / beta-java.yml / release-java.yml
  - Branch protection + Dependabot security-updates + private vuln reporting
    (driven post-merge via gh api — recorded as RAN-46 comments)
  - Hello-world deploy proof (blocked on AC #10 scope decision from @coo)
  - paperclip Project codebase.repoUrl PATCH (final step after this PR merges)

Refs RAN-46.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

.bestpractices.json

@@ -0,0 +1,41 @@
+{
+  "$schema": "https://bestpractices.coreinfrastructure.org/projects.schema.json",
+  "_comment": "OpenSSF Best Practices self-assessment skeleton for RandomCodeSpace/codeiq. The numeric project_id and badge URL are populated by a board admin after registering the project at https://www.bestpractices.dev/ — RAN-46 AC #8 calls this out as auth-blocked. Once the registration is complete, fill `project_id` and re-render the README badge with the resolved URL.",
+  "project_id": null,
+  "name": "codeiq",
+  "description": "Deterministic code knowledge graph — scans codebases to map services, endpoints, entities, infrastructure, auth patterns, and framework usage. No AI, pure static analysis.",
+  "homepage_url": "https://github.com/RandomCodeSpace/codeiq",
+  "repo_url": "https://github.com/RandomCodeSpace/codeiq",
+  "license": "MIT",
+  "level": "passing",
+  "status": {
+    "basics": "self-assessed-passing",
+    "change_control": "self-assessed-passing",
+    "reporting": "self-assessed-passing",
+    "quality": "self-assessed-passing",
+    "security": "self-assessed-passing",
+    "analysis": "self-assessed-passing"
+  },
+  "evidence": {
+    "vulnerability_report_process": "SECURITY.md",
+    "release_process": "shared/runbooks/release.md",
+    "rollback_process": "shared/runbooks/rollback.md",
+    "first_time_setup": "shared/runbooks/first-time-setup.md",
+    "engineering_standards": "shared/runbooks/engineering-standards.md",
+    "license_file": "LICENSE",
+    "build_reproducible": "mvn -B -ntp clean verify",
+    "ci_workflow": ".github/workflows/ci-java.yml",
+    "code_scanning": ".github/workflows/codeql.yml",
+    "supply_chain_scorecard": ".github/workflows/scorecard.yml",
+    "dependency_updates": ".github/dependabot.yml",
+    "signed_commits": "scripts/setup-git-signed.sh",
+    "secret_scanning": "GitHub repo setting (secret_scanning + push_protection enabled)",
+    "static_analysis": "SpotBugs (mvn spotbugs:check) + SonarCloud Quality Gate",
+    "vulnerability_scanning": "OWASP Dependency-Check (mvn dependency-check:check) + Dependabot security updates"
+  },
+  "audit": {
+    "self_assessment_date": "2026-04-25",
+    "self_assessment_author": "TechLead (RAN-46)",
+    "registration_blocker": "https://www.bestpractices.dev/ requires human OAuth/form. Tracked under RAN-46 AC #8."
+  }
+}

.github/dependabot.yml

@@ -0,0 +1,125 @@
+# Dependabot configuration for codeiq.
+# Docs: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+#
+# Strategy:
+#   * weekly cadence — keeps the noise floor low while still catching CVEs early
+#   * grouped updates per ecosystem so PR fan-out stays manageable
+#   * security updates fire whenever needed regardless of the weekly slot
+#
+# RAN-46 AC #4: Dependabot (security + version updates, weekly, grouped). Also
+# enable repo-level "Dependabot security updates" via gh api (the version-updates
+# below cover routine bumps; security updates are the reactive channel).
+
+version: 2
+updates:
+  # ----- Maven (the codeiq application) -----
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 10
+    labels:
+      - "type:dependencies"
+      - "area:backend"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    groups:
+      spring:
+        patterns:
+          - "org.springframework*"
+          - "org.springframework.boot:*"
+          - "org.springframework.security:*"
+          - "org.springframework.ai:*"
+      jackson:
+        patterns:
+          - "com.fasterxml.jackson*"
+      neo4j:
+        patterns:
+          - "org.neo4j:*"
+          - "org.neo4j.driver:*"
+      antlr:
+        patterns:
+          - "org.antlr:*"
+      maven-plugins:
+        patterns:
+          - "org.apache.maven.plugins:*"
+          - "org.codehaus.*"
+          - "org.jacoco:*"
+          - "com.github.spotbugs:*"
+          - "org.owasp:*"
+          - "org.sonarsource.scanner.maven:*"
+          - "org.sonatype.central:*"
+      test-libs:
+        patterns:
+          - "org.junit.jupiter:*"
+          - "org.mockito:*"
+          - "org.assertj:*"
+          - "org.hamcrest:*"
+          - "com.h2database:*"
+
+  # ----- GitHub Actions (CI / release / security) -----
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"
+      - "area:ci"
+    commit-message:
+      prefix: "chore(actions)"
+      include: "scope"
+    groups:
+      actions:
+        patterns:
+          - "*"
+
+  # ----- Frontend (npm under src/main/frontend) -----
+  - package-ecosystem: "npm"
+    directory: "/src/main/frontend"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"
+      - "area:frontend"
+    commit-message:
+      prefix: "chore(frontend)"
+      include: "scope"
+    groups:
+      react:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "@types/react*"
+      ant-design:
+        patterns:
+          - "antd"
+          - "@ant-design/*"
+      vite:
+        patterns:
+          - "vite"
+          - "@vitejs/*"
+      echarts:
+        patterns:
+          - "echarts"
+          - "echarts-for-react"
+      eslint:
+        patterns:
+          - "eslint*"
+          - "@eslint/*"
+          - "@typescript-eslint/*"
+      typescript:
+        patterns:
+          - "typescript"
+          - "@types/*"

.github/workflows/codeql.yml

@@ -0,0 +1,81 @@
+# CodeQL code-scanning analysis for codeiq.
+# RAN-46 AC #4 (code scanning enabled). Runs on push, on PR, and on a weekly cron
+# so we don't drift if someone forgets to push for a while.
+#
+# Java is the only first-class language at the moment. The bundled React UI under
+# src/main/frontend is JS/TS — added as a second matrix entry so frontend changes
+# also get scanned without slowing down Java analysis.
+
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Mondays 07:00 UTC
+    - cron: "0 7 * * 1"
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    permissions:
+      security-events: write
+      packages: read
+      contents: read
+      actions: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: java-kotlin
+            build-mode: manual
+          - language: javascript-typescript
+            build-mode: none
+
+    steps:
+      - name: Harden runner egress
+        # step-security/harden-runner v2.19.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        # actions/checkout v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Set up JDK 25
+        if: matrix.language == 'java-kotlin'
+        # actions/setup-java v5.2.0
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
+        with:
+          distribution: temurin
+          java-version: "25"
+          cache: maven
+
+      - name: Initialize CodeQL
+        # github/codeql-action/init v3.35.2
+        uses: github/codeql-action/init@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-and-quality
+
+      - name: Build with Maven (Java only)
+        if: matrix.language == 'java-kotlin'
+        run: mvn -B -ntp -DskipTests -Dspotbugs.skip=true -Ddependency-check.skip=true clean package
+
+      - name: Perform CodeQL analysis
+        # github/codeql-action/analyze v3.35.2
+        uses: github/codeql-action/analyze@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/scorecard.yml

@@ -0,0 +1,66 @@
+# OpenSSF Scorecard supply-chain analysis.
+# RAN-46 AC #9. Best-effort target — no hard numeric floor; Scorecard does not gate merge.
+# Docs: https://github.com/ossf/scorecard-action
+
+name: Scorecard supply-chain security
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    # Mondays 06:00 UTC
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+# Restrict the default GITHUB_TOKEN to read-only; the steps below request the
+# narrow scopes they actually need.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Required for upload to the code-scanning Security tab.
+      security-events: write
+      # Required to read OIDC token for publish_results.
+      id-token: write
+      # Default scopes for actions/checkout.
+      contents: read
+      actions: read
+
+    steps:
+      - name: Harden runner egress
+        # step-security/harden-runner v2.19.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        # actions/checkout v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard analysis
+        # ossf/scorecard-action v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Publish the results so they appear on the public Scorecard dashboard.
+          publish_results: true
+
+      - name: Upload Scorecard SARIF (artifact)
+        # actions/upload-artifact v7.0.1
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        with:
+          name: scorecard-sarif
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload SARIF to GitHub code-scanning
+        # github/codeql-action/upload-sarif v3.35.2
+        uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a
+        with:
+          sarif_file: results.sarif

AGENTS.md

@@ -0,0 +1,43 @@
+# AGENTS.md — codeiq
+
+> **Repo-root entry point for any agent collaborator.** This file is intentionally short and lists pointers; the canonical contents live elsewhere and are linked from here.
+
+## What this repo is
+
+codeiq is a CLI + read-only server that builds a deterministic code-knowledge graph over a codebase. No AI, no external APIs — pure static analysis. See [`/CLAUDE.md`](CLAUDE.md) for the architecture, package map, pipeline, conventions, and gotchas.
+
+## Pointers, in priority order
+
+1. **Read [`/CLAUDE.md`](CLAUDE.md) first.** It is the SSoT for architecture, build/test commands, package layout, and the long-tail of "things that bite you on this codebase."
+2. **Then [`/shared/runbooks/engineering-standards.md`](shared/runbooks/engineering-standards.md).** Coverage, CVE, signed-commits, and quality-gate policy.
+3. **Then the runbooks you'll actually need:**
+   - [`shared/runbooks/first-time-setup.md`](shared/runbooks/first-time-setup.md) — get from clean clone to green local build.
+   - [`shared/runbooks/release.md`](shared/runbooks/release.md) — how to ship; gates downstream RAN-* product work.
+   - [`shared/runbooks/rollback.md`](shared/runbooks/rollback.md) — when a ship goes bad.
+4. **Security**: [`/SECURITY.md`](SECURITY.md) for disclosure; private reports only.
+
+## Hard rules for any agent doing work in this repo
+
+- **Branch off `main`.** Never commit to `main` directly.
+- **Sign every commit.** The repo-local config (`scripts/setup-git-signed.sh`) makes this automatic; do not rewrite it.
+- **One logical change per commit.** Conventional-commit subjects (`feat:`, `fix:`, `chore:`, `refactor:`, `test:`, `docs:`, `perf:`).
+- **Squash-merge only.** Branch protection rejects merge commits and force-pushes to `main`.
+- **Tests + jacoco gate must pass.** `mvn -B -ntp clean verify` is the contract.
+- **Determinism is non-negotiable.** Same input → same output, byte-for-byte. Any new detector ships with a determinism test.
+- **Read-only serving layer.** MCP and REST API on the `serve` path do not mutate. If you find yourself adding `POST /api/<verb>` that writes, stop and reconsider.
+- **No secrets in code.** Repo-level GitHub Actions secrets only.
+
+## Paperclip / RAN-* coordination
+
+This codebase tracks work in Paperclip under the `RAN-*` prefix. When you pick up a task:
+
+1. Checkout the issue (`POST /api/issues/{id}/checkout`) before you start.
+2. Comment progress on every heartbeat — terse markdown, link the PR.
+3. Branch protection requires TechLead approval; route review there.
+4. Reference the issue in your commit/PR body (`Closes RAN-N`).
+
+If the task asks for product/feature work and `shared/runbooks/release.md` is missing on `main`, **stop**: the RAN-46 bootstrap precondition has not landed yet and product work is gated on it.
+
+## Auth escalation
+
+If you hit something requiring GitHub App / PAT / OAuth that the runtime cannot satisfy (org admin escalation, Sonatype Central re-namespace, OpenSSF Best Practices form, etc.), do **not** improvise auth: PATCH the issue to `blocked` with the exact ask and `@`-mention the board.

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 RandomCodeSpace
+Copyright (c) 2026 Amit Kumar
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -12,6 +12,8 @@
   <a href="https://github.com/RandomCodeSpace/codeiq/blob/main/LICENSE"><img src="https://img.shields.io/github/license/RandomCodeSpace/codeiq?style=flat-square&label=License" alt="MIT License"></a>
   <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_codeiq"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_codeiq&metric=security_rating" alt="Security"></a>
   <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_codeiq"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_codeiq&metric=reliability_rating" alt="Reliability"></a>
+  <a href="https://api.securityscorecards.dev/projects/github.com/RandomCodeSpace/codeiq"><img src="https://api.securityscorecards.dev/projects/github.com/RandomCodeSpace/codeiq/badge" alt="OpenSSF Scorecard"></a>
+  <a href="https://www.bestpractices.dev/projects/codeiq"><img src="https://img.shields.io/badge/OpenSSF%20Best%20Practices-pending%20registration-lightgrey?style=flat-square&logo=openssf&logoColor=white" alt="OpenSSF Best Practices (pending registration — RAN-46 AC #8)"></a>
   <a href="https://github.com/RandomCodeSpace/codeiq"><img src="https://img.shields.io/badge/detectors-97-brightgreen?style=flat-square&logo=codefactor&logoColor=white" alt="97 Detectors"></a>
   <a href="https://github.com/RandomCodeSpace/codeiq"><img src="https://img.shields.io/badge/languages-35%2B-blue?style=flat-square&logo=stackblitz&logoColor=white" alt="35+ Languages"></a>
 </p>