feat(RAN-59): rewrite .bestpractices.json to canonical per-criterion schema (#3)

Strip the custom group structure (status/evidence/audit) — bestpractices.dev
autofill ignores it — and replace with the canonical flat per-criterion
key/value schema from coreinfrastructure/best-practices-badge `criteria.yml`
'0' block (passing badge): 43 MUST + 10 SHOULD + 14 SUGGESTED, each with
`<key>_status` ("Met" / "Unmet" / "N/A" / "?") and `<key>_justification`,
plus `<key>_url` for the eight criteria where upstream sets
`met_url_required: true`.

Per-criterion evidence reuses what shipped in PR #1 (RAN-54): security.yml
gates (Trivy / Semgrep / PSScriptAnalyzer / Gitleaks / jscpd / SBOM),
scorecard.yml, dependabot.yml, signed-commit branch protection,
SECURITY.md disclosure SLA, engineering-standards.md quality gates.

Honest N/A statuses on `na_allowed: true` MUSTs where the criterion does
not apply to a single-script PowerShell tool: crypto_* (project does not
use cryptography), build_* (no compile/build step — .ps1 is the
deliverable), release_notes / release_notes_vulns (no tagged release
flow yet — head-of-main delivery via `git clone`),
dynamic_analysis_fixed (no dynamic analysis tool integrated; PowerShell
on .NET is memory-safe so valgrind/ASAN-class tools do not apply).

This unblocks bestpractices.dev autofill on the project edit page for
project 12647 — board admin OAuth login still required to flip the
badge to passing.

Co-authored-by: Paperclip <noreply@paperclip.ing>

Author: aksOps