Platform audit remediation: fix README claim drift, add SOC 2 docs, harden CI/Dependabot

[Copilot]

Addresses the April 2026 platform audit findings. Fixes factual inaccuracies in marketing-facing README copy and creates the sales/InfoSec documentation suite needed for Pilot-tier customer evaluations — without touching any TypeScript source.

README Fixes

• verticals/ # 29 → 30 industry vertical implementations (verified against actual directory count)
• sovereign/ # 11 → 24 sovereign service implementations (verified against file count in backend/src/services/sovereign/)
• "29 industry verticals deep dive" → 30 in the docs table
• Added [![Security Posture](https://img.shields.io/badge/Security-SOC%202%20Aligned-blue.svg)](docs/SECURITY_POSTURE.md) badge
• Added four new doc table rows: Security Posture, SOC 2 Controls Matrix, Pilot Playbook, Implementation Status

New Documentation

File	Purpose
docs/SECURITY_POSTURE.md	SOC 2 controls map for InfoSec reviews — replaces "we don't have a cert yet" with an honest, control-by-control posture document
docs/SOC2_CONTROLS_MATRIX.md	CC/A/C/PI/P criterion-by-criterion matrix with specific file citations, implemented vs planned status, and customer-controlled vs Datacendia-controlled column
docs/PILOT_PLAYBOOK.md	30-day structured onboarding guide for $50K Pilot customers — Week 1–4 plan, quantitative success criteria, money-back guarantee scope, escalation SLAs
docs/IMPLEMENTATION_STATUS.md	P0–P3 classified inventory of all ~98 unique // ROADMAP: stubs from roadmap_full.txt — honest "what works vs what's stubbed" for engineering and customer disclosure
SUPPORT.md	SLA table (Pilot 24h → Strategic 1h/24x7), community support links, security escalation path

CI / Dependabot

ci.yml — added npm audit --audit-level=high to both frontend and backend jobs; fails on high/critical, accepts moderate/low (consistent with audit findings).

dependabot.yml — split the existing minor-and-patch combined group into separate patch-updates and minor-updates groups across both npm ecosystems + added actions-updates group. Patch-only updates now route cleanly to auto-merge.

dependabot-auto-merge.yml (new) — squash-merges patch-only Dependabot PRs automatically:

- name: Auto-merge patch updates
  if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
  run: gh pr merge --auto --squash "$PR_URL"

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Refactoring (no functional changes)
• CI/CD or infrastructure change

Community/Enterprise Boundary

• This PR only touches Community Edition code (see COMMUNITY.md)
• This PR touches Enterprise Edition code (requires platform-lead approval)

Checklist

• My code follows the project's coding standards
• I have added/updated tests for my changes
• All new and existing tests pass (npm run test)
• TypeScript compiles without errors (npm run typecheck)
• Lint passes (npm run lint)
• I have updated documentation if needed
• I have not committed secrets, API keys, or credentials
• My changes do not introduce console warnings or errors

Screenshots / Recordings

N/A — documentation and config changes only.

Testing Instructions

1. Verify the README renders correctly on GitHub — check badge row and documentation table for new links
2. Confirm docs/SECURITY_POSTURE.md, docs/PILOT_PLAYBOOK.md, docs/SOC2_CONTROLS_MATRIX.md, docs/IMPLEMENTATION_STATUS.md, and SUPPORT.md are accessible and render without broken links
3. On a Dependabot patch PR, confirm dependabot-auto-merge.yml triggers and the auto-merge label is applied
4. Confirm npm audit --audit-level=high step appears in both Frontend and Backend CI jobs

Original prompt

Context

This is a full-platform audit remediation pass for the Datacendia Enterprise Edition monorepo. The founder has given full approval for all changes. Every change below is grounded in evidence from the April 2026 platform audit (PLATFORM_AUDIT_2026-04-22.md) and direct inspection of the codebase.

Work through each section below in order. Commit logically grouped changes together.

---

1. Fix Marketing Claim Drift in README.md

The current README.md contains factual inaccuracies that will damage credibility with technical buyers. Fix all of the following:

In the Feature Comparison table and text:

• "Industry Verticals: 18 basic / 30 expanded / 30 full" — the audit confirms ~21 real verticals are implemented (cross-check against backend/src/services/verticals/ subdirectory count). Update these numbers to the accurate count. Do not round up.
• The Platform Scale table says | Industry verticals | **30** | — update to match the real count found in the verticals directory.
• The Platform Scale table says | Collapse agents | **19** specialized | — verify by checking backend/src/services/collapse/ and update if wrong.
• Sovereign patterns: the audit says "21 sovereign patterns" claimed vs actual 11 services. Check backend/src/services/sovereign/ file count and update the Platform Scale table | Supported jurisdictions | **17** | only if verifiably wrong (jurisdiction count is separate from sovereign services — do not conflate them).

In the Cendia Product Catalog:

• Review whether every listed product has a corresponding service file in backend/src/services/. Products that are pure stubs with only ROADMAP comments and no real implementation should be marked with *(planned)* inline.

In the pricing table:

• "30 expanded" and "30 full" verticals → update to accurate count matching what's found in the code.

---

2. Create docs/SECURITY_POSTURE.md

Create a professional security posture document at docs/SECURITY_POSTURE.md. This is a sales-facing document that a founder hands to a prospect's InfoSec team during a Pilot evaluation. It must be honest and grounded in what is actually in the codebase.

The document should cover:

# Datacendia — Security & Compliance Posture

> Last updated: May 2026
> Applies to: Enterprise and Strategic tiers (self-hosted deployments)

## Executive Summary
One paragraph: Datacendia is built with SOC 2-aligned controls from the ground up. 
Formal SOC 2 Type I certification is targeted for [reasonable date]. 
In the meantime, this document maps existing implemented controls 
to SOC 2 Trust Service Criteria and answers the most common InfoSec questions.

## Deployment Model
- Self-hosted / on-premise: customer controls the infrastructure
- Air-gapped option: data never leaves customer network (Strategic tier)
- No telemetry, no call-home: verified by sovereign mode toggle
- Customer-owned keys: CendiaNotary™ with customer-provided key material

## SOC 2 Trust Service Criteria Mapping
Table mapping each TSC criterion to the actual implemented control in the codebase:
- CC6 (Logical Access): JWT + Keycloak SSO/MFA (KeycloakAuth middleware)
- CC6.7 (Transmission Encryption): TLS enforced at nginx layer
- CC7 (System Operations): Prometheus + Grafana + Wazuh SIEM integration
- CC8 (Change Management): Git history + CI pipeline + branch protection
- CC9 (Risk Mitigation): ImmutableAuditLedger (Merkle-signed), OPA policy engine
- A1 (Availability): PostgreSQL HA with PgBouncer + Redis cluster
- C1 (Confidentiality): OpenBao/Vault secrets, AES-256 at rest
- PI1 (Processing Integrity): Deterministic replay (CendiaReplay™), Merkle verification
- P1-P8 (Privacy): ML-based PII detection (Presidio, Foundation+), GDPR/CCPA controls

## Secrets Management
- No secrets in source code (verified: only mock/placeholder values in tests)
- All secrets via environment variables or OpenBao/Vault
- .env files excluded from version control (.gitignore enforced)
- Secret scanning enabled on repository

## Dependency Security
- Automated vulnerability alerts via GitHub Dependabot
- npm audit run in CI pipeline
- Current vulnerability status: 0 critical, 0 high, moderate/low only (as of audit date)
- SBOM generation available (CendiaSBOM service)

## Data Handling
Because Datacendia runs entirely on customer infrastructure in self-hosted mode:
- We never receive, process, or store customer data
- All AI inference runs locally (Ollama/Triton/NIM on customer hardware)
- Audit ledger is stored in customer's PostgreSQL instance
- We have no access to customer environments

## Penetration Testing
- Planned: external pen test targeted for Q3 2026
- Internal: adversarial stress testing via CendiaCollapse™ and CendiaCrucible™

## Incident Response
- Defined process in SECURITY.md
- Contact: security@datacendia.com

## Certifications Roadmap
| Certification | Status | Target Date |
|---|---|---|
| SOC 2 Type I | In progress | Q4 2026 |
| SOC 2 Type II | Planned | Q...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>