Orchestration: CI, tests, security, and governance improvements

[Ladas]

Current maturity score: 2/5

This repository has working tests in CI (the only non-kagenti repo that does), but lacks security scanning, governance files, and supply chain hardening.

Top 5 gaps

1. Zero security scanning — 0/8 applicable tools. This is a gRPC ext-proc service that intercepts and modifies HTTP request/response bodies — SAST is critical.
2. No LICENSE file — The nemocheck plugin declares Apache-2.0 but no LICENSE file exists at the repo root.
3. No container build in CI — 2 Dockerfiles exist but no CI workflow builds or pushes images.
4. 0% SHA-pinned actions — Both actions are tag-pinned only. No permissions: block on the workflow.
5. No Dependabot — requirements.txt, pyproject.toml, 2 container files, and 1 workflow have no automated dependency updates.

Recommended phase order

1. orchestrate:precommit — Add shellcheck, hadolint, gitleaks, yamllint hooks
2. orchestrate:tests — Add pytest-cov at server level; scaffold E2E tests for gRPC ext-proc flow
3. orchestrate:ci — SHA-pin actions, add permissions, add Trivy, Bandit, dependabot, scorecard, container build workflow
4. orchestrate:security — Add LICENSE (Apache 2.0), CODEOWNERS, SECURITY.md, CONTRIBUTING.md
5. orchestrate:replicate — CLAUDE.md, .claude/settings.json, skills

Context

• Scan report generated by orchestrate:scan skill
• Umbrella issue: Org-wide orchestration: CI, tests, security, and governance across all repos kagenti#841
• Scan skill PR: Add orchestrate and onboard skill families with comprehensive CI blueprint kagenti#691