docs: add SECURITY.md with vulnerability reporting policy

[olamide226]

Summary

• Adds SECURITY.md at the repo root so GitHub surfaces the Security Policy tab and links to it from the private vulnerability reporting flow
• Supported versions table covering all six components (gateway + 5 npm packages)
• Two reporting channels: GitHub Private Vulnerability Reporting (preferred) and email fallback
• Response timeline commitments (ack ≤2 days, fix ≤14 days for Critical/High)
• Explicit in-scope / out-of-scope definitions — including callout that PUBLIC var visibility is a documented design trade-off, not a bug
• Summary of REP's key security properties with pointer to spec/SECURITY-MODEL.md for the full threat model

Test plan

• Verify GitHub shows the Security Policy tab on the repo page after merge
• Confirm the "Report a vulnerability" button in the Security tab links to the advisory form
• Check that email address in Option 2 is correct before merging

[Copilot]

Pull request overview

Adds a repository-wide security policy to define supported versions and establish a private process for reporting and handling vulnerabilities across REP components.

Changes:

• Introduces SECURITY.md with supported-version guidance for Gateway/SDK/CLI/adapters.
• Documents private vulnerability reporting channels (GitHub advisories + email) and expected response timelines.
• Defines scope/in-scope vs out-of-scope issues and links to the detailed security model spec.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.