feat(security): OpenSSF Best Practices + Scorecard scaffolding (RAN-55, RAN-60) (#1)

* checkpoint: pre-yolo 2026-04-20T09:09:19

* feat(security): land OpenSSF Best Practices + Scorecard scaffolding (RAN-55)

Adapt the codeiq RAN-46/RAN-52 recipe to vigil's PowerShell + WPF tree:

- Add CLAUDE.md (architecture, conventions, OpenSSF observability target)
- Add SECURITY.md (private disclosure, scope, hardening references)
- Add AGENTS.md (agent collaborator entry-point)
- Add .bestpractices.json (project_id 12648, level: passing, evidence map)
- Add .github/workflows/scorecard.yml (push to main + Mondays 06:00 UTC,
  SHA-pinned actions, SARIF + artifact)
- Add .github/workflows/security.yml — (B) OSS-CLI stack:
  Semgrep / OSV-Scanner / Trivy / Gitleaks / jscpd / Syft SBOM,
  language-adapted (PowerShell tokenization for jscpd, no Maven/npm bits)
- Add .github/dependabot.yml (github-actions only — vigil has no
  language lockfile)
- README.md: add OpenSSF Best Practices + Scorecard badges
- LICENSE: align copyright with project precedent (Amit Kumar)

Per board ruling: Scorecard is observational only (stretch >= 8.0/10);
the OpenSSF Best Practices `passing` badge is the only hard gate. Final
flip from `in_progress` to `passing` on bestpractices.dev is admin-UI
work and stays board-owned.

Board action items (cannot land via workflow file):
- Enable signed-commit branch protection on main
- Enable secret scanning + push protection
- Enable Dependabot security updates
- Flip bestpractices.dev project 12648 from in_progress to passing

Closes RAN-55 (after the board-side toggles + bestpractices.dev flip).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(ci): replace broken google/osv-scanner-action with binary install

The pinned `google/osv-scanner-action@c5185470…` (v2.3.5) ships an
`action.yml` that is composite-only and missing the top-level `runs:`
section, so GitHub rejects it as a job step with:

  Top level 'runs:' section is required for
  google/osv-scanner-action/.../action.yml

Codeiq hit the same trap on its RAN-52 follow-up and switched to
installing the official `osv-scanner` binary via `gh release download`.
Mirroring that pattern here, adapted for vigil:

- env: OSV_SCANNER_VERSION=2.3.5, GH_TOKEN=github.token
- gh release download `osv-scanner_linux_amd64` from
  `google/osv-scanner` v2.3.5 (pattern match → mv to stable name)
- Smoke `./osv-scanner --version` so future regressions surface
  clearly instead of exit 127
- Recursive source scan (`--recursive --skip-git ./`); vigil has no
  language lockfile today, so the run exits with no findings.
  Coverage activates automatically once a `*.lock` lands in-tree.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* chore(bestpractices): rewrite to canonical autofill schema (RAN-60)

Replace custom group structure (status / evidence / audit blocks) with
bestpractices.dev's canonical flat per-criterion schema so the autofill
robot pre-fills the criteria page on board flip. All 67 passing-level
criteria (43 MUST, 10 SHOULD, 14 SUGGESTED) carry _status,
_justification, and (where required by upstream criteria.yml) _url.

Status distribution: 62 Met, 4 N/A (release_notes / release_notes_vulns
/ version_semver / version_tags — vigil ships no formal release line),
1 Unmet (test_continuous_integration — Test-Vigil.ps1 not yet wired into
GHA), 2 ? (dynamic_analysis, dynamic_analysis_enable_assertions).

Schema source: criteria/criteria.yml top-level '0:' block on
coreinfrastructure/best-practices-badge.

Companion to RAN-57 (codeiq), RAN-58 (otelcontext), RAN-59 (snipIT).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>

Author: aksOps

.bestpractices.json

@@ -0,0 +1,38 @@
+# Dependabot configuration for vigil.
+# Docs: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+#
+# Vigil ships no language-ecosystem dependency surface — it is a single-file
+# PowerShell + WPF app with no `package-lock.json`, no `pom.xml`, no
+# `requirements.txt`. The only thing Dependabot can usefully bump on this
+# repo is the GitHub Actions in `.github/workflows/`.
+#
+# Strategy:
+#   * weekly cadence — keeps the noise floor low while still catching CVEs early
+#   * grouped — single PR per week unless a security update fires
+#   * security updates fire whenever needed regardless of the weekly slot
+#
+# RAN-55 — paired with `.github/workflows/security.yml` (OSS-CLI stack) and
+# `.github/workflows/scorecard.yml` (OpenSSF Scorecard). Repo-level
+# "Dependabot security updates" + "secret scanning" + "push protection"
+# are board-owned toggles in repo Settings.
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"
+      - "area:ci"
+    commit-message:
+      prefix: "chore(actions)"
+      include: "scope"
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/dependabot.yml

@@ -0,0 +1,69 @@
+# OpenSSF Scorecard supply-chain analysis.
+# RAN-55 — best-effort target. Scorecard is observational and does NOT gate
+# merge per the board ruling; the OpenSSF Best Practices `passing` badge is
+# the only hard gate.
+# Docs: https://github.com/ossf/scorecard-action
+
+name: Scorecard supply-chain security
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    # Mondays 06:00 UTC — same window as security.yml so the weekly
+    # observability sweep runs together.
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+# Restrict the default GITHUB_TOKEN to read-only; the steps below request the
+# narrow scopes they actually need.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Required for upload to the code-scanning Security tab.
+      security-events: write
+      # Required to read OIDC token for publish_results.
+      id-token: write
+      # Default scopes for actions/checkout.
+      contents: read
+      actions: read
+
+    steps:
+      - name: Harden runner egress
+        # step-security/harden-runner v2.19.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        # actions/checkout v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard analysis
+        # ossf/scorecard-action v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Publish the results so they appear on the public Scorecard dashboard.
+          publish_results: true
+
+      - name: Upload Scorecard SARIF (artifact)
+        # actions/upload-artifact v7.0.1
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        with:
+          name: scorecard-sarif
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload SARIF to GitHub code-scanning
+        # github/codeql-action/upload-sarif v3.35.2
+        uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a
+        with:
+          sarif_file: results.sarif