docs(claude-md): document OpenSSF Best Practices + Scorecard baseline (RAN-52 AC #7)

[aksOps]

Summary

Closes the only RAN-52 acceptance criterion not already covered by the merged PRs #91 (OSS-CLI stack) and #92 (Best Practices project_id wiring).

• CLAUDE.md gets a new "Supply-chain observability (OpenSSF)" section covering:
  • Best Practices badge state — project 12650 registered, hard gate is passing, the in_progress → passing flip is board-owned in the bestpractices.dev admin UI.
  • Scorecard baseline + target — workflow location, weekly-cron schedule, ≥ 8.0/10 stretch target, the eight checks we want at max, and the two known floor reductions (Webhooks N/A, Signed-Releases partial).
  • OSS-CLI security stack at operator-level (path-B board ruling): six gate-blocking jobs — OSV-Scanner, Trivy, Semgrep, Gitleaks, jscpd, anchore/sbom-action — with a "do not re-introduce SonarCloud/CodeQL/OWASP DC without explicit board reversal" guard pointing at engineering-standards.md §5.1.

shared/runbooks/engineering-standards.md §1 + §5 remains the SSoT for the stack; this section is the operator-level summary referenced from CLAUDE.md.

Closes RAN-52 AC #7. The remaining acceptance items (final bestpractices.dev page flip; one-time confirmation that required_signatures is on for main) are board-owned and called out in the Paperclip thread.

Why a separate PR

The original RAN-52 attempt (#94, now closed) was opened against an out-of-date main. While it was in flight, #91 and #92 landed and shipped the bulk of AC #4–#6 — but with gate-blocking and the path-B board ruling (no Sonar / CodeQL / OWASP DC), which conflicted with #94's observability-only design. #94 closed; this PR is the rebased remainder.

Test plan

• CI green on chore/ran-52-claude-md-supply-chain
• CLAUDE.md renders cleanly on GitHub (links resolve to engineering-standards.md, scorecard.yml, security.yml, the Scorecard project page, and bestpractices.dev/12650)

🤖 Generated with Claude Code