Resolve remaining repo-level Scorecard governance findings

[bmdhodl]

Summary

After release-prep cleanup, the remaining open Scorecard findings are governance/process items rather than code defects:

• CodeReviewID: repository review enforcement / branch protection
• FuzzingID: no fuzzing or ClusterFuzzLite integration detected
• CIIBestPracticesID: Best Practices badge is still only in progress
• MaintainedID: repository-age false positive should be re-evaluated once the repo is older than 90 days

Why this matters

These findings affect the public security posture and badge signals, but they are not good patch-release blockers for the Python SDK itself. They should be tracked explicitly instead of being rediscovered during every release prep.

Acceptance Criteria

• Decide which findings should be fixed vs dismissed vs accepted
• Enable any needed repo settings or workflows for review enforcement / fuzzing
• Update documentation or badge config as needed
• Confirm the remaining open Scorecard alerts are intentional

References

• GitHub Security -> Code scanning alerts
• .github/workflows/scorecard.yml
• OpenSSF Scorecard report for bmdhodl/agent47

[bmdhodl]

Post-v1.2.4 scan update on 2026-03-31 / 2026-04-01:\n\nOpen code-scanning alerts on main: 11 total. Current buckets:\n- PinnedDependenciesID: 6 alerts\n - .github/workflows/ci.yml\n - .github/workflows/publish.yml\n - .github/workflows/entropy.yml\n- FuzzingID: 1 alert\n- VulnerabilitiesID: 1 alert\n- CIIBestPracticesID: 1 alert\n- CodeReviewID: 1 alert\n- MaintainedID: 1 alert\n\nThe release work did not worsen this set. #282 remains the concrete Trusted Publishing follow-up; the remaining workflow hash/pinning/governance items still belong here.