chore(security): land OSS-CLI stack + wire OpenSSF Best Practices project (RAN-52)

[aksOps]

Summary

Closes most of RAN-52 — the leftover-criteria + observability pass on top of RAN-46. Two acceptance items remain board-owned and are flagged at the bottom.

• .github/workflows/security.yml (new) — consolidated (B) OSS-CLI security stack: Semgrep (SAST), OSV-Scanner (deps; second-source CVE feed cross-checking the existing OWASP Dependency-Check from ci-java.yml), Trivy (filesystem CVEs + IaC misconfig), Gitleaks (secret scan, run via the upstream Docker image to avoid the org GITLEAKS_LICENSE requirement), jscpd (copy-paste detection), and anchore/sbom-action (SPDX SBOM). Triggers: push to main, PR, weekly cron (Mon 06:00 UTC, same window as scorecard.yml), workflow_dispatch. Every job hardens egress with step-security/harden-runner and uploads SARIF to GitHub code scanning where supported plus raw reports as workflow artifacts. All actions SHA-pinned (Scorecard Pinned-Dependencies).
• .bestpractices.json — registration unblocked between RAN-46 and RAN-52, so project_id is now wired to 12650 and the registration-blocker note is cleared.
• README.md — replace the placeholder "pending registration" Best Practices badge with the live bestpractices.dev/projects/12650/badge (verified live via HTTP 200).
• CLAUDE.md — new "Supply-chain observability (OpenSSF)" section documenting the Best Practices project, the Scorecard baseline + target (≥ 8.0/10 stretch), known floor reductions (Webhooks N/A, Signed-Releases partial), and the OSS-CLI stack pointer. Satisfies AC Remove Thymeleaf UI — consolidate to React SPA #7.
• shared/runbooks/engineering-standards.md — §1 paragraph rewritten so the OSV row is no longer "planned, RAN-42" (it has landed inside security.yml); §5 gets a row pointing at security.yml and the new CLAUDE.md section.

Subsumes the previously planned standalone RAN-42 osv-scanner.yml. The OSS-CLI stack is observability-only at the bootstrap window — promotion to gate-blocking happens once a clean baseline exists.

RAN-52 acceptance status

AC	Status	Where
1. bestpractices.dev page = passing	⚠️ board-owned	needs admin-UI flip from in_progress; repo-side criteria all evidenced via .bestpractices.json
2. Close every unmet Best Practices criterion	⚠️ board-owned	same — admin-UI walkthrough on bestpractices.dev/projects/12650
3. .github/workflows/scorecard.yml lands	✅ already shipped (PR #74); verified push+cron+dispatch + SARIF + SHA-pinning
4. .github/workflows/security.yml mirroring (B) OSS-CLI stack	✅ this PR
5. SECURITY.md + signed-commit branch protection on main	✅ SECURITY.md already in repo; ⚠️ branch-protection toggle is GitHub-settings — board needs to verify the rule is enforced
6. OpenSSF Best Practices badge at top of README.md	✅ this PR (placeholder → live)
7. .bestpractices.json at repo root	✅ this PR (project_id wired)
8. Scorecard baseline + target documented in CLAUDE.md	✅ this PR

Auth-blocked items for the board

• bestpractices.dev admin UI flip — the project page (https://www.bestpractices.dev/en/projects/12650) needs the badge level walked from in_progress to passing once the maintainer reviews the answers there. Repo-side evidence is in place.
• Signed-commit branch protection on main — engineering-standards §1 says the rule is enforced; needs a one-time gh api repos/RandomCodeSpace/codeiq/branches/main/protection confirmation that required_signatures.enabled = true. If anything is missing, please add it.

Test plan

• CI green on chore/ran-52-best-practices-passing (existing ci-java.yml + the new security.yml)
• security.yml weekly cron fires Mondays 06:00 UTC
• All security.yml jobs upload either SARIF (Semgrep / OSV / Trivy) or artifacts (Gitleaks / jscpd / SBOM)
• README OpenSSF Best Practices badge renders (bestpractices.dev/projects/12650/badge → HTTP 200, verified)
• No regression on ci-java.yml, scorecard.yml, beta-java.yml, release-java.yml — actionlint clean on all five workflows

🤖 Generated with Claude Code

[aksOps]

Closing as superseded.

While this PR was in flight, #91 (chore(security): revert to OSS-CLI stack (RAN-46 path B board ruling)) and #92 (docs(badge): wire OpenSSF Best Practices project_id 12650 (RAN-46 AC #8)) landed on `main` and shipped the bulk of RAN-52 AC #4–#7:

• `.github/workflows/security.yml` — six-job OSS-CLI stack with `Block merge` gating per the board's RAN-46 path-B ruling
• `.bestpractices.json` — `project_id: 12650` wired with registration evidence
• README — live Best Practices badge + Security workflow badge
• `shared/runbooks/engineering-standards.md` — full `§1 Quality gates` rewrite around the OSS-CLI stack + explicit "do not re-introduce Sonar / CodeQL / OWASP Dependency-Check" guard

This PR's design conflicts with that ruling on three points:

1. Observability-only (`continue-on-error: true`) vs the board's gate-blocking stance.
2. Different tool mechanics (Gitleaks via Docker image; Semgrep via `p/default`; OSV-Scanner over the full tree) vs the path-B implementations on main.
3. CLAUDE.md / engineering-standards prose still referencing CodeQL + OWASP DC + SonarCloud as live tools.

The only piece without overlap is the CLAUDE.md `Supply-chain observability (OpenSSF)` section (RAN-52 AC #7 — main's CLAUDE.md has zero OpenSSF mentions). I'll re-open that piece as a much smaller PR rebased on the post-#91 / #92 main, with prose aligned to the path-B ruling.

No code from this PR is being merged.