Merge develop → main: README badges + .vscode/ gitignore

Brings two documentation fixes from PR #5:
  - README badges: CI, CodeQL, OpenSSF Scorecard (will render broken
    while repo is private, auto-resolve on public flip)
  - .vscode/ removed from tree and added to .gitignore — closes the
    root cause of the settings.json leak caught during the previous
    develop → main strip merge

scripts/strip_for_main.sh ran clean in mid-merge mode (16 paths
checked, nothing to remove this round since a72a959 already handled
the dev file deletions). Build guard PASS.

Pre-commit hook (.githooks/pre-commit) also verified — no forbidden
paths in the staged changes.

Author: devonartis

.gitignore

@@ -38,3 +38,9 @@ __pycache__/
 # M-sec gate artifacts — generated by ./scripts/gates.sh full, not checked in
 coverage.out
 sbom.spdx.json
+
+# Editor-specific settings — VSCode auto-recreates settings.json with Snyk
+# IDE preferences and other per-user state. Keep it out of the tree entirely.
+# strip_for_main.sh and .githooks/pre-commit both enforce this for main;
+# ignoring it in .gitignore prevents accidental commits on ANY branch.
+.vscode/

CHANGELOG.md

@@ -7,6 +7,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added — M-sec README badges (Task 30)
+
+- **`README.md`** — added three CI-health badges ahead of the existing
+  language/license/tech row:
+  - **CI** — `ci.yml` workflow status on `main`
+  - **CodeQL** — `codeql.yml` SAST status on `main`
+  - **OpenSSF Scorecard** — supply-chain posture score
+  Badges will show as "not found" or broken while the repo is private
+  (CI badge requires viewer auth; CodeQL and Scorecard require public
+  repo access). They're added now so the moment the repo flips public
+  they light up without a README update — fire-and-forget. CodeQL
+  and Scorecard will ALSO need their workflow triggers re-enabled
+  per TD-VUL-006 fix sequence. A comment in the README notes this.
+
+### Fixed — `.vscode/` removed from tree and gitignored
+
+- **`.vscode/settings.json`** — was tracked on develop but carries
+  per-user editor settings (e.g. Snyk IDE prefs). Untracked via
+  `git rm` and added to `.gitignore` so it stays out of every branch.
+  This closes the loop on the leak that happened during the first
+  develop → main strip merge attempt: VSCode recreated the file between
+  `rm -rf` and `git commit`, so it landed in the merge commit. The
+  commit was amended to remove it (see `a72a959`), but the root cause
+  was that the file was tracked on develop at all. Now both the strip
+  script and .gitignore cooperate to keep it out.
+
 ### Fixed — strip_for_main.sh mid-merge support + two drift fixes
 
 - **`scripts/strip_for_main.sh`** — the documented `git merge develop

README.md

@@ -1,5 +1,8 @@
 # AgentAuth
 
+[![CI](https://github.com/devonartis/agentauth/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/devonartis/agentauth/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/devonartis/agentauth/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/devonartis/agentauth/actions/workflows/codeql.yml)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/devonartis/agentauth/badge)](https://securityscorecards.dev/viewer/?uri=github.com/devonartis/agentauth)
 [![Go Reference](https://pkg.go.dev/badge/github.com/devonartis/agentauth.svg)](https://pkg.go.dev/github.com/devonartis/agentauth)
 [![Go Report Card](https://goreportcard.com/badge/github.com/devonartis/agentauth)](https://goreportcard.com/report/github.com/devonartis/agentauth)
 [![License](https://img.shields.io/badge/License-AGPL--3.0-blue.svg)](https://www.gnu.org/licenses/agpl-3.0)
@@ -9,6 +12,15 @@
 [![EdDSA](https://img.shields.io/badge/Signing-Ed25519%20EdDSA-8B5CF6)](https://ed25519.cr.yp.to/)
 [![SPIFFE](https://img.shields.io/badge/Identity-SPIFFE-0F9D58)](https://spiffe.io/)
 
+<!--
+Badge note: CI, CodeQL, and OpenSSF Scorecard badges will show as "not found"
+or broken while this repo is private — those badges require public repo visibility
+(and for CodeQL/Scorecard, the workflows must be re-enabled, see TD-VUL-006).
+They're added now so the moment the repo flips public, they light up without
+needing a README update. Fire-and-forget.
+-->
+
+
 **Ephemeral agent credentialing for AI systems.**
 
 AgentAuth is a credential broker that issues short-lived, scope-attenuated tokens to AI agents. Each agent gets a unique [SPIFFE](https://spiffe.io/)-format identity and operates with only the permissions its task requires. Tokens are signed with Ed25519 (EdDSA), expire in minutes, and are revocable at four levels (token, agent, task, delegation chain). Every credential event is recorded in a tamper-evident audit trail.