[EPAC-1745]: add community standards docs

[riddim-developer-bot]

Why

epac is preparing to show a complete set of GitHub Community Standards files for contribution guidance and security reporting.

What changed

• Added CONTRIBUTING.md at repo root with issue/PR conventions, local dev expectations, support flow, and a Code of Conduct link.
• Added CODE_OF_CONDUCT.md based on Contributor Covenant 2.1 with enforcement contact set to sunny@riddimsoftware.com.
• Added SECURITY.md with a brief private disclosure path and 7-day response commitment.
• Kept all references free of internal channels/keys and GitHub Discussions.

Verification

• git fetch origin main
• git rebase origin/main
• rg -n -i "discussions|jira|linear|slack|aws|secret|token|internal" CONTRIBUTING.md CODE_OF_CONDUCT.md SECURITY.md
• git status --short

No functional build/test commands were run because this change is documentation-only.

Notes

• Estimated effort from Linear issue is present (2) and not missing.
• Branch is single commit: 7bd7429.

Reviewer-Boundary: review-only

Resolves EPAC-1745

[riddim-reviewer-bot]

ReviewAutonomousPR

• Verdict: approve
• Reviewer boundary: review_only
• Acceptance criteria coverage: covered=5, missing=0, unclear=0

Summary

The PR adds all three required community files at the repository root and they align with the stated acceptance criteria. The documents avoid internal-only references and include the required contact paths and non-bug-bounty/security language.

Actionable findings

• None.

Acceptance criteria coverage

• covered — CONTRIBUTING.md covers issue filing, proposing changes, branch/PR conventions (including neutral automated-review mention), local-dev expectations, and code of conduct pointer.
  • File includes explicit issue/reporting workflow, change proposal steps, branching/PR guidance, mentions automated first-pass review, local dev requirements, and a Code of Conduct link.
• covered — CODE_OF_CONDUCT.md uses Contributor Covenant 2.1 content with enforcement contact sunny@riddimsoftware.com.
  • Document text is largely standard CoC 2.1 language and sets enforcement contact to sunny@riddimsoftware.com.
• covered — SECURITY.md includes responsible disclosure path, contact email, and states no public bug bounty.
  • Contains private email reporting path, explicit instruction not to open public issues, response commitment, and 'No public bug bounty program is currently offered.'
• covered — No references to GitHub Discussions/internal Jira/Slack/AWS in the three files.
  • No such terms appear in the shown diff content.
• covered — All three files expected to render cleanly on GitHub.
  • Simple Markdown with standard headings, lists, links, and no syntax issues evident.