docs(security): rewrite .bestpractices.json to canonical autofill schema (RAN-58)

[aksOps]

Summary

Rewrites .bestpractices.json from the legacy custom group structure (status / evidence / audit keys, which bestpractices.dev's autofill ignores) to the canonical flat per-criterion schema documented at coreinfrastructure/best-practices-badge:docs/bestpractices-json.md. Once this lands, the board can flip project 12646 and the autofill robot will pre-fill all 67 questionnaire answers from this file.

Closes RAN-58. Companion to RAN-53 (OSS-CLI security stack — already on main via #34) and the parallel rewrites for codeiq (RAN-52), snipIT (RAN-54), vigil (RAN-55).

What changed

• .bestpractices.json — 67 canonical criteria from criteria.yml '0': block (43 MUST + 10 SHOULD + 14 SUGGESTED). Each entry has <key>_status, <key>_justification, and (for the 8 url-required criteria) <key>_url. 21 additional _url fields enrich evidence beyond the minimum.
• CONTRIBUTING.md (new) — minimal contributor guide so the contribution MUST, contribution_requirements SHOULD, and test_policy / tests_documented_added MUSTs all have honest backing evidence. Documents the CI gates already in place: go test -race, go vet, golangci-lint, OSV-Scanner, Trivy, Semgrep, Gitleaks, jscpd.

Status distribution (67 / 67)

Category	Met	N/A	Notes
MUST (43)	42	1	crypto_password_storage → N/A (otelcontext authenticates via bearer API_KEY or Azure Entra; no user passwords stored)
SHOULD (10)	10	0
SUGGESTED (14)	13	1	dynamic_analysis_unsafe → N/A (Go is memory-safe; no unsafe.Pointer in application code)

All eight met_url_required criteria (contribution, contribution_requirements, license_location, release_notes, report_process, report_archive, vulnerability_report_process, vulnerability_report_private) carry concrete _url fields. No ? placeholders.

Acceptance check (from RAN-58)

• .bestpractices.json rewritten against the canonical flat per-criterion schema
• Meta fields preserved: project_id, name, description, homepage_url, repo_url, license, level: "passing"
• All 43 MUST criteria populated as Met (or N/A where na_allowed) with concrete file-path / URL evidence in _justification
• All 10 SHOULD criteria populated honestly
• All 14 SUGGESTED criteria populated as Met where true (and one honest N/A); no ? placeholders needed
• <key>_url provided where criteria.yml requires it (8/8)
• Single PR; auto-merge on green CI — this PR
• Board flips bestpractices.dev project 12646 to passing — board admin step

Validation

• jq empty .bestpractices.json → clean parse
• 67 _status keys ↔ 67 canonical criteria (1:1 map, zero missing, zero extra)
• 67 _justification keys
• 8/8 url-required criteria have _url

Test plan

• jq empty .bestpractices.json — JSON validates
• Per-criterion key coverage matches criteria.yml '0': block (verified programmatically: set(canonical) == set(file_keys))
• CI green (build · vet · test + Security OSS-CLI stack)
• Board flips project 12646 to passing and posts @TechLead approved (per RAN-50 flip-gate)

🤖 Generated with Claude Code — Co-Authored-By: Paperclip

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud