docs(scorecard): drop Branch-Protection PAT recommendation

[blove]

What

Rewrites two stale docs that recommended wiring a fine-grained Administration: read PAT (SCORECARD_TOKEN/repo_token) into ossf/scorecard-action to "un-exclude" the OSSF Scorecard Branch-Protection check:

• docs/superpowers/specs/2026-06-18-ossf-scorecard-uplift-design.md (follow-up feat: inferred tool types via codegen #1 + expected-trajectory table)
• docs/superpowers/plans/2026-06-18-ossf-scorecard-uplift.md (out-of-scope bullet)

Why

The recommendation was wrong-signed for this repo. Dawn is a single-maintainer repo that merges via gh pr merge --auto --squash with intentionally weak protection (strict: false, required_pull_request_reviews: null, enforce_admins: false).

• An inconclusive (-1) Branch-Protection check is excluded from the Scorecard aggregate mean — it costs nothing.
• A scored check for this posture lands ~4 (Medium tier) and would drag the aggregate down, not up.
• A standing admin:read PAT is also CI supply-chain surface.

cacheplane/angular-agent-framework proved this empirically: it wired the PAT in #689, then reverted it in #708 ("drop SCORECARD_TOKEN — let Branch-Protection go inconclusive").

Verified current state (unchanged by this PR — docs only)

• repos/cacheplane/dawnai/branches/main/protection → strict: false, contexts: ["validate"], required_pull_request_reviews: null, required_conversation_resolution: true, enforce_admins: false.
• gh secret list → only ANTHROPIC_API_KEY, NPM_TOKEN (no SCORECARD_TOKEN).
• .github/workflows/scorecard.yml → publish_results: true, no repo_token. Left as-is.

No workflow, secret, or branch-protection changes — documentation only.

🤖 Generated with Claude Code

[github-actions]

Automated approval: this PR received an intelligent (AI) code review. See the review comments on this PR.

[github-actions]

Claude finished @blove's task in 48s —— View job

---

PR Review: docs(scorecard): drop Branch-Protection PAT recommendation

• Gather context and read changed files
• Review documentation changes for correctness and consistency
• Post findings

---

Verdict: LGTM — documentation-only, logically consistent correction.

What changed

Two bullets/sections in the scorecard uplift docs were corrected from "wire a PAT" to "leave inconclusive":

• plans/…uplift.md — the out-of-scope bullet for Branch-Protection (-1)
• specs/…uplift-design.md — follow-up feat: inferred tool types via codegen #1 and the expected-trajectory table

Correctness check

Follow-up #1 rewrite (specs file, line 59): The reasoning is sound and internally consistent:

• -1 → excluded from aggregate mean (no cost)
• Wiring admin:read PAT → scores ~4 (Medium tier) → drags aggregate down
• The AAF empirical evidence (#689 wired, #708 reverted) is a strong cross-reference

Trajectory table (specs file, lines 74–79): The numbers are consistent with the change:

• Removed the +0.85 Branch-Protection un-exclude from each subsequent row
• "After follow-ups" dropped ~7.8 → ~7.0 (delta ≈ −0.8, matches the previously-stated +0.85 estimate)
• "Maintained auto-flips" dropped ~8.6 → ~7.8 (same delta, carried forward correctly)
• The added explanatory note is accurate

Current state verification: The PR body confirms no SCORECARD_TOKEN secret exists and scorecard.yml has no repo_token — so no workflow or secret changes are needed; this PR is purely correcting the doc that recommended adding one.

No issues found. The correction is accurate, well-justified, and the trajectory arithmetic is internally consistent.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dawnai	Ready	Preview, Comment	Jun 25, 2026 3:47pm

[github-actions]

Claude finished @blove's task in 1m 17s —— View job

---

PR Review: docs(scorecard): drop Branch-Protection PAT recommendation

• Gather context and read changed files
• Review documentation changes for correctness and consistency
• Post findings

---

Summary

Documentation-only correction across two files. The reasoning is sound and the technical claims are correct — this PR improves the guidance.

What changed:

File	Change
plans/…-ossf-scorecard-uplift.md	Out-of-scope bullet: PAT recommendation → explicit "leave inconclusive, do NOT wire PAT" with rationale
specs/…-ossf-scorecard-uplift-design.md	Current-board Action cell, Follow-up #1, and expected-trajectory table all updated consistently

Correctness of the technical claims:

• -1 checks are excluded from the aggregate mean. Correct per the OSSF Scorecard spec — inconclusive checks drop out of the weighted-average denominator entirely.
• Scored weak-protection landing ~4. Plausible. Branch-Protection sub-checks for strict: false, required_pull_request_reviews: null, enforce_admins: false would fail the majority of the sub-checks; a Medium-tier score (~4) is the right ballpark.
• A standing admin:read PAT is supply-chain surface. Correct and a meaningful security improvement to remove this recommendation.
• AAF empirical reference (#689 wired, #708 reverted). Cited in both the PR body and the spec, consistent with the stated reason.

Consistency between files: Both files now agree — the plan's out-of-scope bullet and the spec's Follow-up #1 carry the same rationale. The trajectory table numbers are consistent with dropping Branch-Protection from the calculation entirely.

Minor note (no action needed): The trajectory table shows ~7.0 for both "After PR 2 (deps)" and "After follow-ups (Code-Review + badge)", which might read as the follow-ups having no effect. The explanatory paragraph added directly below the table addresses this context — Code-Review accumulates over many PRs and the CII badge is Low weight, so the ~7.0 plateau is correct.

No bugs, security issues, or type-safety concerns — this is purely documentation. The PR achieves what it says: retracts a wrong-signed recommendation and replaces it with accurate, well-reasoned guidance. Looks good.