Two Scorecard checks moved from 0/10 to 10/10. No runtime behaviour change.
What landed
SECURITY.mdcloses ScorecardSecurity-Policy(0 -> 10). Declares the supported version line (latest minor only -2.6.xtoday, retired the day2.7.0ships), reporting channels (GitHub Private Vulnerability Reporting as the recommended path, fabrizio.salmi@gmail.com as fallback), response SLAs (72h ack, 7d triage, 30d fix for high/critical), in/out-of-scope boundaries, and coordinated-disclosure expectations. Private Vulnerability Reporting has been enabled on the repository so the advisory form is live.permissions: read-alltop-level onci.yml+docker-multiplatform.ymlcloses ScorecardToken-Permissions(0 -> 10). The two pre-existing workflows that silently inherited the repo default now declare read-only at the workflow level. Neither needs write - coverage upload goes throughcodecov-action's own auth, Docker push usesDOCKERHUB_TOKEN, notGITHUB_TOKEN. The two workflows shipped in v2.6.1 already followed this pattern.
Expected next Scorecard run: 5.6 -> ~7.0.
Closes #196.