Update Frappe Agent trust signals (#119)

Merged: adds .codexignore, HOL trust/security/release/license badges, and SECURITY.md to the Frappe Agent bundle.

Author: Dkm0315

plugins/Dkm0315/frappe-agent/.codexignore

@@ -0,0 +1,14 @@
+.git/
+.claude/settings.local.json
+.env
+.env.*
+dist/
+build/
+node_modules/
+__pycache__/
+.pytest_cache/
+.mypy_cache/
+*.pyc
+*.pyo
+*.pyd
+.DS_Store

plugins/Dkm0315/frappe-agent/README.md

@@ -1,5 +1,10 @@
 # Frappe Agent for Codex
 
+[![HOL Trust Score](https://img.shields.io/endpoint?url=https%3A%2F%2Fhol.org%2Fapi%2Fregistry%2Fbadges%2Fplugin%3Fslug%3Ddhairya-marwaha%252Ffrappe-agent%26metric%3Dtrust%26style%3Dflat)](https://hol.org/registry/plugins/dhairya-marwaha%2Ffrappe-agent)
+[![HOL Security](https://img.shields.io/endpoint?url=https%3A%2F%2Fhol.org%2Fapi%2Fregistry%2Fbadges%2Fplugin%3Fslug%3Ddhairya-marwaha%252Ffrappe-agent%26metric%3Dsecurity%26style%3Dflat)](https://hol.org/registry/plugins/dhairya-marwaha%2Ffrappe-agent)
+[![Release](https://img.shields.io/github/v/release/Dkm0315/frappe-agent)](https://github.com/Dkm0315/frappe-agent/releases)
+[![License](https://img.shields.io/github/license/Dkm0315/frappe-agent)](./LICENSE)
+
 `frappe-agent` is a Codex plugin for Frappe Framework and ERPNext development. It makes Codex more aware of Frappe-specific patterns so it can inspect benches more safely, choose the right customization layer, and avoid generic framework mistakes.
 
 ## What It Covers

plugins/Dkm0315/frappe-agent/SECURITY.md

@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| ------- | --------- |
+| `main` | Yes |
+| Latest published release | Yes |
+
+## Reporting a Vulnerability
+
+Please do not disclose security issues publicly before they have been reviewed.
+
+To report a vulnerability, open a private report through GitHub Security Advisories for this repository, or email `dhairya15marwaha@gmail.com` with:
+
+- a short description of the issue
+- affected files, skills, commands, or plugin metadata
+- reproduction steps or proof of concept details
+- expected impact
+- suggested fixes, if you already have them
+
+We aim to acknowledge reports within 72 hours and follow up with an initial assessment as soon as practical.
+
+## Security Practices
+
+- Keep credentials, site tokens, bench secrets, and ERPNext/Frappe environment values out of plugin files.
+- Review changes to skills and commands for prompt-injection risks before release.
+- Run the plugin scanner workflow before publishing release artifacts.
+- Prefer the latest published release when installing this plugin in day-to-day projects.