Issue #9: OpenSSF Best Practices submission kit

[hyperpolymath]

Summary

Issue #9 asks to submit OpenSSF Best Practices badge applications. The
blocker has never been the technical prerequisites — it's that the final
submission at bestpractices.dev is an authenticated browser flow that
cannot be automated.

This PR makes that flow "sorted for all time":

• Verified all three named prerequisites are GREEN:
  • Scorecard: scorecard.yml + scorecard-enforcer.yml run on
    push/schedule with publish_results: true.
  • Security policy: SECURITY.md present (advisories + encrypted
    email, response timeline, safe harbour).
  • Branch protection: main is protected (GitHub API protected: true).
• Added stateful-artefacts/openssf-best-practices/SUBMISSION-RUNBOOK.md:
  a copy/paste answer sheet mapping every passing-tier criterion to in-repo
  evidence, plus the one-time submission steps and post-award README badge
  swap. Reusable for sibling repos.
• Updated the roadmap backlog entry for Issue Submit OpenSSF Best Practices badge applications #9 to reflect status.

Remaining manual step (cannot be automated)

bestpractices.dev authenticates submitters via GitHub OAuth tied to the
submitting account; there is no unattended API flow and the self-assessment
requires human attestation. The runbook reduces this to a few minutes of
copy/paste. One criterion (floss_license_osi) needs a maintainer
judgement call since PMPL is not OSI-approved — flagged in the runbook.

Test plan

• Owner follows SUBMISSION-RUNBOOK.md to register reposystem on
  bestpractices.dev
• Project ID recorded in the runbook table; README badge swapped to
  ID-pinned live form
• Issue Submit OpenSSF Best Practices badge applications #9 closed once submitted

https://claude.ai/code/session_01LKw5BvbbxFUWi9YMogGJTL

---

Generated by Claude Code