chore: repo hygiene — CodeQL, Dependabot, SECURITY.md, badges

[nvandessel]

Summary

• CodeQL scanning workflow (weekly + on PRs)
• Dependabot for pip and GitHub Actions dependencies
• SECURITY.md with vulnerability reporting process
• README badges: tests, CodeQL, license, Python version
• Coverage reporting in CI
• Repo description and topics set

No PyPI deployment

Not needed yet — hippofloop is used locally via uv run hippofloop. PyPI publishing can be added when there's a stable release.

[greptile-apps]

Greptile Summary

This PR adds repo hygiene infrastructure: Dependabot config for pip and GitHub Actions, a SECURITY.md vulnerability reporting policy, README status badges, and coverage reporting in CI. The changes are straightforward and largely low-risk, but one issue needs attention before merge.

• Dependabot (dependabot.yml): Correctly configured for weekly pip and GitHub Actions updates.
• Coverage in CI (test.yml): --cov=hippofloop --cov-report=term-missing added; pytest-cov>=5.0 is already in dev dependencies — no breakage risk.
• .gitignore: .coverage entry added; the binary accidentally committed in an earlier commit of this branch was properly removed.
• SECURITY.md: Clean vulnerability disclosure policy pointing to GitHub private advisories; the previously flagged misleading "Email:" label was fixed in the head commit.
• README badges: The Tests, License, and Python badges are fine. The CodeQL badge image URL still references .github/workflows/codeql.yml/badge.svg, but that workflow file was removed in this PR's head commit. The badge will render as permanently inactive until either the workflow file is restored or the badge is updated to use the security/code-scanning/badge.svg endpoint.

Confidence Score: 4/5

Safe to merge after fixing the broken CodeQL badge image URL — all other changes are correct and low-risk.

One P1 issue remains: the CodeQL badge image points to a workflow file (codeql.yml) that no longer exists in the repo, so it will render as permanently inactive. All other changes (Dependabot, coverage flags, gitignore, SECURITY.md) are clean. Score is 4 rather than 5 because of this present, observable defect in the changed file.

README.md — the CodeQL badge image URL references a deleted workflow file.

Important Files Changed

Filename	Overview
README.md	Adds four status badges; the CodeQL badge image URL references a workflow file that was removed in this PR's head commit, causing it to render as permanently inactive.
.github/dependabot.yml	New Dependabot config enabling weekly updates for both pip and GitHub Actions dependencies — correctly structured.
.github/workflows/test.yml	Adds --cov=hippofloop --cov-report=term-missing to the pytest invocation; pytest-cov>=5.0 is already declared in dev dependencies so this is safe.
.gitignore	Adds .coverage to gitignore; the binary was accidentally committed in an earlier commit of this PR and was subsequently removed — the gitignore entry prevents recurrence.
SECURITY.md	New security policy file directing reporters to GitHub private security advisories; previously flagged 'Email:' label issue was resolved in the head commit.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push or PR to main] --> B[test.yml workflow]
    B --> C[Checkout]
    C --> D[Install uv + deps]
    D --> E[Lint via ruff]
    E --> F[pytest + coverage report]

    A --> G{codeql.yml exists?}
    G -- No, file removed --> H[Badge inactive - no status returned]
    G -- Yes, file present --> I[CodeQL scan runs]
    I --> J[Code scanning results page]

    K[Dependabot weekly] --> L[pip deps PR]
    K --> M[GitHub Actions deps PR]

Loading

_{Reviews (2): Last reviewed commit: "fix: address Greptile review + CodeQL co..." | Re-trigger Greptile}

[greptile-apps]

CodeQL badge image will always render as inactive

The badge image URL (https://github.com/…/actions/workflows/codeql.yml/badge.svg) requires an actual .github/workflows/codeql.yml file to exist in the repository. In the latest commit of this PR (a3359c3), that file was deliberately removed ("Remove custom codeql.yml — repo default setup already handles it") and no such file exists at HEAD. GitHub's default CodeQL setup does not create a user-visible codeql.yml workflow file, so the .badge.svg endpoint will return a permanent "no status" / inactive badge.

The link target was correctly updated to /security/code-scanning, but the image source was left pointing at the missing workflow.

Options to fix:

1. Re-add codeql.yml — restore a minimal CodeQL workflow (with all actions pinned to SHAs per the previous review feedback) so the badge has a real workflow to track.
2. Remove the badge — since the default setup doesn't surface a per-workflow badge, omit the CodeQL badge until a workflow file is added.

Suggested change

	[](https://github.com/nvandessel/hippofloop/security/code-scanning)
	[](https://github.com/nvandessel/hippofloop/security/code-scanning)

Note: the security/code-scanning/badge.svg path is the GitHub-provided badge for the code-scanning results page and works without a custom workflow file.