docs(README): visual refresh + supply-chain badges

User-requested README glow-up. Replaces the dense 109-line version
with a 409-line layout that's actually scannable, plus the badge set
the user asked for (OpenSSF Best Practices, OpenSSF Scorecard,
Sigstore, SLSA, plus a pkg.go.dev reference).

Visual changes:

  * Centered title block with subtitle + hero badges in 4 grouped rows
    (release / CI / supply-chain / project-fact).
  * Three-column feature grid ("Why codeiq") with deterministic /
    agent-ready / supply-chain-hardened / polyglot / no-AI /
    single-binary callouts.
  * ASCII pipeline diagram in "How it works".
  * Documentation as a 3-column grouped table (starter / reference /
    operate) for quick navigation.
  * Collapsible CLI cheatsheet + MCP tool list.
  * Verification section with three concrete commands (cosign-checksum,
    cosign-darwin, gh attestation verify).

Badge additions:

  * OpenSSF Best Practices (cii/percentage/12650 — auto-updates with
    project score)
  * OpenSSF Scorecard (img.shields.io/ossf-scorecard/<repo>)
  * Sigstore keyless badge (project-fact, not auto-status)
  * SLSA build provenance badge (project-fact)
  * Perf-gate workflow status
  * Scorecard workflow status
  * pkg.go.dev reference
  * 880+ tests fact
  * CGO required fact

Badge omission with explicit footnote:

  * SonarQube/SonarCloud — codeiq deliberately replaced Sonar + CodeQL
    + OWASP Dependency-Check with the OSS-CLI security stack in CI
    (semgrep + osv-scanner + trivy + gitleaks + jscpd + govulncheck
    + native GitHub CodeQL). A Sonar badge would misrepresent the
    setup. Inline <sup> note under the badge block + cross-link to
    docs/07-integrations.md.

All badge URLs spot-checked HTTP 200/302 from this host.

No code changes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: aksOps