docs: reorder and expand security badges

[nullvariant]

Summary

• Reorder root README badges into 5 logical groups
• Add 6 new badges: Socket.dev, GitGuardian, Renovate, FOSSA, REUSE, CLA assistant

Badge groups (root README)

Group	Badges
CI / Platform	CI, Security, Platform
Supply Chain	SLSA 3, Sigstore, SBOM, OpenSSF Scorecard, OpenSSF Best Practices, Harden-Runner
Scanning	Snyk, Socket.dev, GitGuardian, Renovate
License / Compliance	FOSSA, REUSE, CLA assistant
Code Quality	Codecov, SonarCloud ×5

Note

Some new badges (FOSSA, REUSE, Socket.dev, CLA assistant) require service integration to display correctly. Service setup is tracked separately.

Test plan

• Verify all existing badges still render correctly
• Confirm badge ordering matches the 5-group structure

🤖 Generated with Claude Code

[qodo-code-review]

Review Summary by Qodo

Reorganize and expand README security badges

📝 Documentation

Walkthroughs

Description

• Reorganize README badges into 5 logical groups
• Add 6 new security and compliance badges
• Update documentation hash for verification

Diagram

flowchart LR
  A["README Badges"] --> B["CI/Platform Group"]
  A --> C["Supply Chain Group"]
  A --> D["Scanning Group"]
  A --> E["License/Compliance Group"]
  A --> F["Code Quality Group"]
  B -- "CI, Security, Platform" --> B1["3 badges"]
  C -- "SLSA 3, Sigstore, SBOM, OpenSSF, Harden-Runner" --> C1["5 badges"]
  D -- "Snyk, Socket.dev, GitGuardian, Renovate" --> D1["4 badges"]
  E -- "FOSSA, REUSE, CLA assistant" --> E1["3 badges"]
  F -- "Codecov, SonarCloud metrics" --> F1["6 badges"]

Loading

File Changes

1. README.md 📝 Documentation +12/-6

Reorganize and expand security badges

• Reordered badges into 5 groups: CI/Platform, Supply Chain, Scanning, License/Compliance, Code
 Quality
• Added 6 new badges: Socket.dev, GitGuardian, Renovate, FOSSA, REUSE, CLA assistant
• Moved existing badges to appropriate groups for better organization

README.md

---

2. extensions/git-id-switcher/src/ui/documentationInternal.ts 📝 Documentation +1/-1

Update documentation hash for README changes

• Updated README.md hash value to reflect badge reorganization changes

extensions/git-id-switcher/src/ui/documentationInternal.ts

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Socket badge wrong target 🐞 Bug ≡ Correctness

Description

README.md adds a Socket.dev badge for the npm package "git-id-switcher", but this repo’s
"git-id-switcher" appears to be a VS Code extension package (not an npm-published library), so the
badge can render broken/misleading security status or point to an unrelated third-party npm package.

Code

README.md[13]

+[![Socket Badge](https://socket.dev/api/badge/npm/package/git-id-switcher)](https://socket.dev/npm/package/git-id-switcher)

Evidence

The README change introduces an npm-specific Socket badge. The only "git-id-switcher" package
metadata in-repo is a VS Code extension manifest (publisher + engines.vscode), while the monorepo
root is private, which together indicates this project is not an npm-distributed package named
"git-id-switcher"; therefore the badge target is very likely incorrect for the artifact users
actually install (VS Code Marketplace/Open VSX).

README.md[12-18]
extensions/git-id-switcher/package.json[1-10]
package.json[1-10]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The root README adds a Socket badge that is explicitly tied to an **npm package** (`.../badge/npm/package/git-id-switcher`). This repository’s `git-id-switcher` appears to be a **VS Code extension**, so the badge may be broken or could display supply-chain status for a different npm package with the same name.

### Issue Context
- The repo is a private npm workspace monorepo, and `extensions/git-id-switcher/package.json` contains VS Code extension-specific fields (e.g., `publisher`, `engines.vscode`).
- The badge URL currently implies an npm distribution named `git-id-switcher`.

### Fix Focus Areas
- README.md[12-15]

### Suggested fix
Update or remove the Socket badge so it reflects the actual distributed artifact:
- If you intend to scan the **repository**, switch to the Socket badge type that targets a GitHub repo (if supported by your integration), or
- If you intend to scan an **npm package**, change the badge to the exact published package name/scope that corresponds to this project (if one exists), otherwise remove the badge until publishing/integration exists.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Unused README hash update 🐞 Bug ⚙ Maintainability

Description

The PR updates the unprefixed DOCUMENT_HASHES['README.md'] value, but the production documentation
fetch path calls verifyContentHash(path, content) without isMonorepoRoot=true, so this updated
entry does not participate in runtime integrity checks and can mislead maintainers about what is
actually enforced.

Code

extensions/git-id-switcher/src/ui/documentationInternal.ts[64]

+  'README.md': 'f8c29bba875e9b0413da7e3a82ad1cbbbf3d38938b991332a359122dd7717efd',

Evidence

verifyContentHash only uses the unprefixed hash key when isMonorepoRoot is true (default is
false). The production fetcher (fetchDocumentByPath) calls verifyContentHash(path, content) with
only two arguments, so runtime verification uses the prefixed key
(extensions/git-id-switcher/{path}) rather than the unprefixed README.md. The only demonstrated
use of isMonorepoRoot=true is in unit tests.

extensions/git-id-switcher/src/ui/documentationInternal.ts[117-158]
extensions/git-id-switcher/src/ui/documentationPublic.ts[87-129]
extensions/git-id-switcher/src/test/documentation.test.ts[784-846]
extensions/git-id-switcher/src/ui/documentationInternal.ts[24-66]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The PR updates `DOCUMENT_HASHES['README.md']` (unprefixed). However, the production documentation fetcher verifies hashes via `verifyContentHash(path, content)` without setting `isMonorepoRoot=true`, meaning unprefixed entries like `'README.md'` are not used for runtime integrity enforcement.

### Issue Context
This is confusing to maintain because it looks like a security/integrity control is being maintained when it is not actually applied in the runtime path.

### Fix Focus Areas
- extensions/git-id-switcher/src/ui/documentationInternal.ts[24-66]
- extensions/git-id-switcher/src/ui/documentationInternal.ts[117-158]
- extensions/git-id-switcher/src/ui/documentationPublic.ts[87-129]

### Suggested fix
Choose one direction:
1) **If monorepo-root documents are not meant to be fetched/verified at runtime**: remove unprefixed monorepo-root entries (like `'README.md'`) from `DOCUMENT_HASHES` and adjust tests/comments accordingly.

2) **If monorepo-root documents are meant to be supported**: plumb an `isMonorepoRoot` signal through the fetch/verify flow so that monorepo-root paths are fetched from the correct base and verified against unprefixed keys.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 6421527.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[nullvariant-mimi]

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!

---

バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

[nullvariant-slow]

🦥 Slow's Code Review 😩

...yawn... Do I really have to review this?

⚠️ TOO LONG... I can barely keep my eyes open reading these:

File	Lines

| extensions/git-id-switcher/src/ui/documentationInternal.ts | 483 |

Split it up... reading long files is exhausting.

---

働きたくないでござる

This review was reluctantly filed by nullvariant-slow[bot]

[nullvariant-ciel]

🕊️ Ciel's Mediation 🌤️

*~~ floating down from the clouds ~~ The zoo seems a bit noisy today...*

2 zoo members have reviewed this PR.

Zoo Member	Status
🦥 Slow	Commented
🐰 Mimi	Commented

⚖️ The zoo has mixed opinions. Some are concerned, some are fine with it. Please review each comment carefully and make the final call.

---

まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud