chore(bestpractices): rewrite to canonical autofill schema (RAN-57)

Strip the custom group structure (`status` / `evidence` / `audit`) and
rewrite `.bestpractices.json` against bestpractices.dev's flat
per-criterion key/value schema so the autofill robot can pre-fill
the criteria page on board flip.

All 67 passing-level criteria are now answered with `<key>_status`,
`<key>_justification`, and (where required by upstream
`criteria.yml`) `<key>_url`:

- 43 MUST: 42 Met + 1 N/A (`crypto_password_storage` — na_allowed,
  codeiq is a developer CLI with no auth surface).
- 10 SHOULD: 9 Met + 1 N/A (`crypto_pfs` — codeiq runs on
  localhost; PFS is the operator's responsibility).
- 14 SUGGESTED: 11 Met + 1 N/A (`dynamic_analysis_unsafe` — Java is
  memory-safe) + 2 "?" placeholders (`dynamic_analysis`,
  `dynamic_analysis_enable_assertions` — no DAST/fuzzing today).

Each justification cites the concrete source-of-truth (`LICENSE`,
`SECURITY.md`, `shared/runbooks/engineering-standards.md` §1–9,
`shared/runbooks/release.md`, `shared/runbooks/test-strategy.md`,
`pom.xml` JaCoCo gate, `.github/workflows/{ci-java,security,scorecard,
release-java,beta-java}.yml`, `.github/dependabot.yml`,
`scripts/setup-git-signed.sh`, `cache/FileHasher.java` SHA-256). The
required `_url` fields on `contribution`, `license_location`,
`release_notes`, `report_process`, `report_archive`,
`vulnerability_report_process`, `vulnerability_report_private`, and
`contribution_requirements` resolve to public GitHub URLs.

Refs: RAN-50 (parent) | RAN-52 (codeiq OpenSSF lane) | bestpractices.dev/projects/12650

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Author: aksOps