GitLab

Prepare the source tree for public release under the Apache License,
Version 2.0. Adds the standard top-level files an open-source project is
expected to ship:

  - LICENSE.md     full Apache 2.0 text, copyright Tim Rice
  - NOTICE         attribution for bundled GPL CLI scanners (wapiti,
                   nikto, testssl.sh, sqlmap), MariaDB, and LGPL/MPL
                   transitive deps; points to sbom.spdx.json / sbom.cdx.json
                   for the full inventory
  - SECURITY.md    private disclosure address, 2/5-day SLA, 30-day default
                   embargo, scope (issues in nextgen-dast itself; bundled
                   scanner vulns go upstream), safe-harbor clause
  - CONTRIBUTING.md  PR workflow, DCO sign-off, US-English style, no
                     version-bumps without maintainer approval, no AI/
                     machine-generated attribution, schema-migration
                     dual-write rule, security-sensitive review areas

  - README.md      append a License section linking the above

Audit confirmed Apache 2.0 is compatible: GPL components (wapiti, nikto,
testssl.sh, sqlmap, MariaDB) are subprocess-invoked or wire-protocol
services (mere aggregation, no linking). LGPL libs (ldap3, browser-cookie3,
urwid) are transitive deps not directly imported. MPL-2.0 files (certifi)
are redistributed unmodified.

Also remove scripts/recover_wapiti.py -- a single-use forensic recovery
script for an April 2026 crashed-scan incident. The script had a real
customer hostname and assessment ID hardcoded as constants; the recovery
it performed has long since completed. The crash-resilience lesson is
already integrated into orchestrator.py's normal pipeline.