Platform audit remediation: fix README claim drift, add SOC 2 docs, harden CI/Dependabot

.github/dependabot.yml

@@ -23,14 +23,15 @@ updates:
     commit-message:
       prefix: "chore(deps)"
     groups:
-      # Group minor/patch updates together
-      minor-and-patch:
-        patterns:
-          - "*"
+      # Patch updates are auto-merged via dependabot-auto-merge.yml
+      patch-updates:
         update-types:
-          - "minor"
           - "patch"
-      # Keep major updates separate for review
+      # Minor updates grouped but require manual review
+      minor-updates:
+        update-types:
+          - "minor"
+      # Keep major updates as individual PRs for manual review
       react:
         patterns:
           - "react"
@@ -66,12 +67,14 @@ updates:
     commit-message:
       prefix: "chore(deps)"
     groups:
-      minor-and-patch:
-        patterns:
-          - "*"
+      # Patch updates are auto-merged via dependabot-auto-merge.yml
+      patch-updates:
         update-types:
-          - "minor"
           - "patch"
+      # Minor updates grouped but require manual review
+      minor-updates:
+        update-types:
+          - "minor"
       prisma:
         patterns:
           - "prisma"
@@ -101,12 +104,17 @@ updates:
       - "ci"
     commit-message:
       prefix: "chore(ci)"
+    groups:
+      actions-updates:
+        patterns:
+          - "*"
 
   # Docker images
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "weekly"
+      day: "monday"
     labels:
       - "dependencies"
       - "docker"
@@ -117,8 +125,10 @@ updates:
     directory: "/backend"
     schedule:
       interval: "weekly"
+      day: "monday"
     labels:
       - "dependencies"
       - "docker"
     commit-message:
       prefix: "chore(docker)"
+

.github/workflows/ci.yml

@@ -39,6 +39,10 @@ jobs:
       - name: Install dependencies
         run: npm ci --ignore-scripts
 
+      - name: Audit dependencies (fail on high/critical)
+        run: npm audit --audit-level=high --ignore-scripts
+        continue-on-error: false
+
       # Type-check and Lint are currently non-gating: the repo has known
       # legacy findings being worked off (see PLATFORM_AUDIT_2026-04-22.md).
       # Build + tests stay gating. Remove `continue-on-error` once backlog
@@ -122,6 +126,10 @@ jobs:
       - name: Install dependencies (root + all workspaces)
         run: npm ci --ignore-scripts
 
+      - name: Audit dependencies (fail on high/critical)
+        run: npm audit --audit-level=high --ignore-scripts
+        continue-on-error: false
+
       - name: Generate Prisma client
         working-directory: backend
         run: npx prisma generate

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,24 @@
+name: Dependabot Auto-Merge
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Auto-merge patch updates
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -7,6 +7,7 @@
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.x-blue.svg)](https://www.typescriptlang.org/)
 [![NVIDIA Inception](https://img.shields.io/badge/NVIDIA-Inception%20Member-76b900.svg)](https://www.nvidia.com/en-us/startups/)
 [![License](https://img.shields.io/badge/License-Commercial-lightgrey.svg)](#license)
+[![Security Posture](https://img.shields.io/badge/Security-SOC%202%20Aligned-blue.svg)](docs/SECURITY_POSTURE.md)
 
 **The Defensible AI Platform — every decision, defensible.**
 
@@ -252,8 +253,8 @@ datacendia-components/
 │   │   │   ├── vault/      # OpenBao/Vault secrets management
 │   │   │   ├── gpu/        # RAPIDS analytics + Confidential Computing
 │   │   │   ├── streaming/  # Flink CEP real-time processing
-│   │   │   ├── verticals/  # 29 industry vertical implementations
-│   │   │   └── sovereign/  # 11 sovereign architecture patterns
+│   │   │   ├── verticals/  # 30 industry vertical implementations
+│   │   │   └── sovereign/  # 24 sovereign service implementations
 │   │   ├── middleware/     # Auth, logging, security
 │   │   ├── security/       # PolicyEngine, KeycloakAuth, KMS, HSM
 │   │   └── config/         # Database, Redis, Neo4j, inference config
@@ -455,7 +456,11 @@ See [Air-Gapped Deployment Guide](docs/AIRGAPPED_DEPLOYMENT.md) for complete ins
 | [Product Bible](docs/DATACENDIA_BIBLE.md) | Product vision and features |
 | [Real-World Value](docs/REAL_WORLD_VALUE.md) | Detailed use case examples |
 | [Complete Service Matrix](docs/COMPLETE_SERVICE_MATRIX.md) | Full service catalog with pricing |
-| [Verticals](docs/VERTICALS.md) | 29 industry verticals deep dive |
+| [Verticals](docs/VERTICALS.md) | 30 industry verticals deep dive |
+| [Security Posture](docs/SECURITY_POSTURE.md) | SOC 2 controls matrix for InfoSec review |
+| [SOC 2 Controls Matrix](docs/SOC2_CONTROLS_MATRIX.md) | Detailed technical controls mapping |
+| [Pilot Playbook](docs/PILOT_PLAYBOOK.md) | 30-day onboarding guide for Pilot customers |
+| [Implementation Status](docs/IMPLEMENTATION_STATUS.md) | ROADMAP items — what's implemented vs planned |
 
 ## 🔐 Environment Variables
 

SUPPORT.md

@@ -0,0 +1,28 @@
+# Support
+
+## Pilot & Paid Tier Support
+
+- **Email:** support@datacendia.com
+- **Response SLA:**
+  - Pilot: 24 hours (business days)
+  - Foundation: 8 hours (business days)
+  - Enterprise: 4 hours (24/7 for P1)
+  - Strategic: 1 hour (24/7)
+- **Emergency (P1 — platform down):** Include `[P1]` in subject line
+
+## Community Support
+
+- GitHub Issues: https://github.com/datacendia/datacendia-core/issues
+- Community Edition questions, bug reports, and feature requests
+
+## Security Vulnerabilities
+
+Do NOT report security vulnerabilities as public GitHub issues.  
+See [SECURITY.md](SECURITY.md) for responsible disclosure process.
+
+## Before Opening a Support Ticket
+
+1. Check the [Quick Reference](docs/QUICK_REFERENCE.md)
+2. Check the [Changelog](CHANGELOG.md) for known issues
+3. Run `GET /api/v1/health/sovereign` to verify service health
+4. Collect logs: `docker compose logs --tail=100 api`