docs: describe Scorecard, dependency review, and public-repo hardening

README adds an OpenSSF Scorecard badge and lists the new workflows.
CONTRIBUTING describes the workflows that gate pull requests and the
workflows that run on schedule. SECURITY documents the new baseline
controls including OpenSSF Scorecard, dependency review with an
AGPL-3.0-compatible license allow-list, Dependabot updates, the gitleaks
clean-history scan (190 commits, 0 leaks), branch protection on main,
and the SemVer tag ruleset.

Author: rldyourmnd

CONTRIBUTING.md

@@ -43,10 +43,16 @@ Use the devcontainer in `.devcontainer/` when you need a clean, production-like
 
 All pull requests run the following workflows automatically:
 
-- `validate`: fast and runtime smoke run on both Ubuntu and macOS; release dry-run and MCP runtime pin freshness run on Ubuntu only.
-- `security-static` (action pins, actionlint, text security scan, ShellCheck, Pyright, Semgrep CLI). Also runs on a weekly schedule.
-- `codeql` (GitHub CodeQL analysis for Python and GitHub Actions). Also runs on a weekly schedule.
-- `dependency-check` (MCP runtime pin freshness) runs on a daily schedule and on push to MCP pin sources; it does not block pull requests.
+- `validate`: fast and runtime smoke on Ubuntu and macOS; release dry-run, MCP runtime pin freshness (advisory only on pull requests), and MCP safe-call smoke on Ubuntu.
+- `security-static`: action pins, actionlint, text security scan, ShellCheck, Pyright, Semgrep CLI. Also runs on a weekly schedule.
+- `codeql`: GitHub CodeQL analysis for Python and GitHub Actions with `security-and-quality` queries. Also runs on a weekly schedule.
+- `dependency-review`: blocks merges that introduce dependencies with high-severity vulnerabilities or licenses outside the AGPL-3.0-or-later compatible allow-list.
+- `labeler`: applies area labels based on changed paths.
+
+In addition, on push to `main` and on a weekly schedule:
+
+- `scorecard`: OpenSSF Scorecard analysis (uploads SARIF to GitHub Security tab and publishes the badge result to `scorecard.dev`).
+- `dependency-check` (`MCP runtime pin freshness (scheduled)`): runs daily and on push to MCP pin sources; fails loudly when pins are stale so the maintainer can bump them intentionally.
 
 A pull request is mergeable only when these checks complete and pass. Maintainers may dispatch additional scoped runs through `workflow_dispatch`.
 

README.md

@@ -3,6 +3,7 @@
 [![validate](https://github.com/NDDev-it-com/rldyour-codex/actions/workflows/validate.yml/badge.svg?branch=main)](https://github.com/NDDev-it-com/rldyour-codex/actions/workflows/validate.yml)
 [![security-static](https://github.com/NDDev-it-com/rldyour-codex/actions/workflows/security-static.yml/badge.svg?branch=main)](https://github.com/NDDev-it-com/rldyour-codex/actions/workflows/security-static.yml)
 [![CodeQL](https://github.com/NDDev-it-com/rldyour-codex/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/NDDev-it-com/rldyour-codex/actions/workflows/codeql.yml)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/NDDev-it-com/rldyour-codex/badge)](https://scorecard.dev/viewer/?uri=github.com/NDDev-it-com/rldyour-codex)
 [![License: AGPL-3.0-or-later](https://img.shields.io/badge/License-AGPL--3.0--or--later-blue.svg)](https://www.gnu.org/licenses/agpl-3.0)
 [![Latest Release](https://img.shields.io/github/v/release/NDDev-it-com/rldyour-codex)](https://github.com/NDDev-it-com/rldyour-codex/releases/latest)
 
@@ -156,8 +157,11 @@ GitHub Actions run automatically on this public repository:
 - `validate.yml`: on every push to `main` and every pull request targeting `main`, runs fast validation on Ubuntu and macOS, runtime smoke on Ubuntu and macOS, release dry-run, MCP runtime pin freshness, and MCP safe-call smoke. `workflow_dispatch` is available for narrower scopes.
 - `security-static.yml`: on push to `main`, pull requests, and weekly schedule, runs action pin validation, actionlint, repository text security scan, ShellCheck, Pyright, and Semgrep CLI without paid GitHub Code Security.
 - `codeql.yml`: on push to `main`, pull requests, and weekly schedule, runs GitHub CodeQL analysis with `security-and-quality` queries for Python and GitHub Actions.
-- `dependency-check.yml`: on daily schedule and on push to MCP runtime pin sources, checks pinned MCP runtime versions through `scripts/check_mcp_runtime_versions.py --fail-on-outdated`.
+- `dependency-check.yml`: on daily schedule and on push to MCP runtime pin sources, checks pinned MCP runtime versions through `scripts/check_mcp_runtime_versions.py --fail-on-outdated`. Surfaces stale pins as a maintainer-visible signal without blocking pull requests.
 - `release.yml`: on push of a SemVer tag matching `X.Y.Z[-pre]`, validates `VERSION` and `CHANGELOG.md`, builds a deterministic bundle, generates a release manifest and SPDX 2.3 SBOM, exports the GitHub dependency-graph SBOM when available, attaches artifact attestations, and publishes the GitHub Release. `workflow_dispatch` remains available as a fallback.
+- `scorecard.yml`: weekly OSSF Scorecard analysis, also on push to `main` and branch protection rule changes. Uploads SARIF to the GitHub Security tab and publishes results to `scorecard.dev`.
+- `dependency-review.yml`: on pull requests, blocks merges that introduce dependencies with known high-severity vulnerabilities or licenses outside the allow-list (AGPL-3.0-or-later compatible).
+- `labeler.yml`: on pull requests, applies area labels (ci-cd / scripts / plugin / docs / tests / release / security) based on changed paths defined in `.github/labeler.yml`.
 
 All external GitHub Actions are pinned by full commit SHA, with the human-readable tag kept as an inline comment. Pin enforcement is checked by `scripts/validate_action_pins.py` and gated in CI.
 

SECURITY.md

@@ -46,12 +46,19 @@ These targets are best-effort and not contractual.
 ## Baseline Controls
 
 - External GitHub Actions are pinned to full commit SHAs. `scripts/validate_action_pins.py` enforces this in CI.
-- CI uses least-privilege `GITHUB_TOKEN` permissions by default. Release jobs request `contents: write`, `id-token: write`, and `attestations: write`. CodeQL jobs request `security-events: write`.
-- GitHub CodeQL runs on every push and pull request for Python and GitHub Actions languages with `security-and-quality` queries.
+- CI uses least-privilege `GITHUB_TOKEN` permissions by default. Release jobs request `contents: write`, `id-token: write`, and `attestations: write`. CodeQL and Scorecard jobs request `security-events: write`.
+- **GitHub CodeQL** runs on every push and pull request for Python and GitHub Actions languages with the `security-and-quality` query suite.
+- **OpenSSF Scorecard** runs weekly and on push to `main`. Results are uploaded to the Security tab as SARIF and published to `scorecard.dev` for the public Scorecard badge.
+- **Dependency Review** runs on pull requests through `actions/dependency-review-action` with `fail-on-severity: high` and a license allow-list compatible with AGPL-3.0-or-later.
+- **Dependabot** is enabled for vulnerability alerts and automated security updates, plus a weekly GitHub Actions update schedule.
+- **GitHub Secret Scanning** and **Secret Scanning Push Protection** are managed at the organization level (`NDDev-it-com`); when enabled by the org owner, they protect this repository automatically.
 - No-paid static security gates use ShellCheck, Pyright, Semgrep CLI, action pin validation, repository text security scanning, and custom repository validators.
 - Semgrep excludes only the `bash.lang.security.ifs-tampering.ifs-tampering` rule because the repository intentionally uses `IFS=$'\n\t'` as part of its strict shell prologue and validates shell scripts separately with ShellCheck.
 - Release bundles use deterministic archives, release manifests, generated SPDX 2.3 SBOMs, GitHub artifact attestations, and (when available) GitHub dependency-graph SBOM export.
 - `scripts/scan_text_security.py` scans tracked text and agent-only paths for credential patterns and hidden Unicode controls without printing matched values.
+- The full git history was scanned with `gitleaks` (8.30.1) before the public release; 190 commits, 0 leaks found.
+- Branch protection on `main` requires all auto-running CI gates to pass before merge, blocks force pushes, blocks branch deletion, and requires linear history.
+- SemVer release tags (`X.Y.Z` and `X.Y.Z-pre`) are protected by a repository ruleset against deletion, update, and non-fast-forward push. Only repository administrators can bypass.
 
 ## Out Of Scope