feat: OpenSSF Silver push — security policy, conduct, branch protection

SECURITY.md: expanded from 21 to 710 lines with incident response phases,
severity classification, safe harbour, reporter credits, formal verification,
container security, dependency management.
CODE_OF_CONDUCT.md: full Contributor Covenant v2.1 with 4-level enforcement.
settings.yml: branch protection for probot/settings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.github/settings.yml

@@ -0,0 +1,122 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+#
+# Repository settings for probot/settings GitHub App.
+# https://github.com/probot/settings
+#
+# This file defines repository-level configuration that is automatically
+# applied by the probot/settings app when changes are pushed to the default
+# branch. Install the app at: https://github.com/apps/settings
+
+# ─── Repository Settings ───────────────────────────────────────────────────────
+
+repository:
+  name: "boj-server"
+  description: "BoJ (Bureau of Justice) — unified MCP server consolidating GitHub, GitLab, Cloudflare, browser automation, and 50+ open-source cartridges"
+  homepage: "https://github.com/hyperpolymath/boj-server"
+  private: false
+  has_issues: true
+  has_projects: true
+  has_wiki: false
+  has_downloads: true
+  default_branch: main
+  allow_squash_merge: true
+  allow_merge_commit: true
+  allow_rebase_merge: true
+  delete_branch_on_merge: true
+  enable_automated_security_fixes: true
+  enable_vulnerability_alerts: true
+
+# ─── Labels ────────────────────────────────────────────────────────────────────
+
+labels:
+  - name: "bug"
+    color: "d73a4a"
+    description: "Something isn't working"
+
+  - name: "enhancement"
+    color: "a2eeef"
+    description: "New feature or request"
+
+  - name: "documentation"
+    color: "0075ca"
+    description: "Improvements or additions to documentation"
+
+  - name: "security"
+    color: "e4e669"
+    description: "Security-related issue or vulnerability"
+
+  - name: "good first issue"
+    color: "7057ff"
+    description: "Good for newcomers"
+
+  - name: "help wanted"
+    color: "008672"
+    description: "Extra attention is needed"
+
+  - name: "question"
+    color: "d876e3"
+    description: "Further information is requested"
+
+  - name: "duplicate"
+    color: "cfd3d7"
+    description: "This issue or pull request already exists"
+
+  - name: "invalid"
+    color: "e4e669"
+    description: "This doesn't seem right"
+
+  - name: "wontfix"
+    color: "ffffff"
+    description: "This will not be worked on"
+
+  - name: "dependencies"
+    color: "0366d6"
+    description: "Pull requests that update a dependency file"
+
+  - name: "ci/cd"
+    color: "fbca04"
+    description: "Continuous integration and deployment"
+
+  - name: "rsr"
+    color: "006b75"
+    description: "Rhodium Standard Repository compliance"
+
+  - name: "hypatia"
+    color: "5319e7"
+    description: "Hypatia neurosymbolic scanner finding"
+
+  - name: "bot"
+    color: "b4a8d1"
+    description: "Automated action by gitbot-fleet"
+
+  - name: "breaking-change"
+    color: "b60205"
+    description: "Introduces a breaking change"
+
+  - name: "performance"
+    color: "f9d0c4"
+    description: "Performance improvement"
+
+  - name: "refactor"
+    color: "c5def5"
+    description: "Code refactoring with no functional change"
+
+# ─── Branch Protection ─────────────────────────────────────────────────────────
+
+branches:
+  - name: "main"
+    protection:
+      required_pull_request_reviews:
+        required_approving_review_count: 1
+        dismiss_stale_reviews: true
+        require_code_owner_reviews: true
+      required_status_checks:
+        strict: true
+        contexts:
+          - "hypatia-scan"
+          - "codeql"
+      enforce_admins: true
+      required_signatures: true
+      restrictions: null
+      allow_force_pushes: false
+      allow_deletions: false

CODE_OF_CONDUCT.md

@@ -1,27 +1,126 @@
-<!-- SPDX-License-Identifier: PMPL-1.0-or-later -->
+<!-- SPDX-License-Identifier: CC-BY-4.0 -->
 # Contributor Covenant Code of Conduct
 
 ## Our Pledge
 
-We pledge to make participation a harassment-free experience for everyone.
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
 
 ## Our Standards
 
-**Positive behavior:**
-* Using welcoming language
-* Being respectful of differing viewpoints
-* Accepting constructive criticism
-* Focusing on what is best for the community
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment of any kind
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
 
-**Unacceptable behavior:**
-* Harassment, trolling, or personal attacks
-* Publishing private information without permission
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
 
 ## Enforcement
 
-Report issues to the maintainers. All complaints will be reviewed.
+Instances of unacceptable behavior may be reported to the community leaders
+responsible for enforcement at j.d.a.jewell@open.ac.uk.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, or aggression toward
+or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
 
 ## Attribution
 
-Adapted from [Contributor Covenant](https://www.contributor-covenant.org/) v2.1.
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
 
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.