chore: add CONTRIBUTING.md and Contributor License Agreement (CLA)

[rado0x54]

Problem

Once the repo flips public (#147), we need an external-contributor onboarding doc plus a Contributor License Agreement (CLA) before merging any non-trivial PR from outside the maintainer set.

Today there is no `CONTRIBUTING.md`, no CLA, and no PR template. This was originally bundled into #147 but split out — the licensing change can ship without it (we control all current commits; no third-party PRs are pending), and the CLA decision deserves more deliberate thought.

Why a CLA, not a DCO

The project is licensed under FSL-1.1-Apache-2.0 (#147). The intent is to keep the public source under FSL while preserving the option to dual-license — granting separate commercial licenses to enterprise customers whose legal teams can't accept FSL terms.

A DCO alone would lock us into FSL forever and forfeit that option. A CLA explicitly grants the project owner a broad enough copyright/patent license to relicense contributed code, without needing every past contributor's consent.

We don't intend to relicense the public source — FSL stays — but the option matters for enterprise sales conversations.

TODOs

CLA mechanism

• Pick a mechanism: lightweight (signed PR comment + `Signed-off-by:`) vs. automated (CLA Assistant bot or EasyCLA).
• Decide individual-only vs. individual + corporate variants.
• Run the CLA text by a lawyer if practical (Apache ICLA derivative or Harmony CLA Pro template are reasonable starting points).

Documents

• `CLA.md` — versioned CLA text at repo root. Include explicit dual-licensing language, governing law, definitions, copyright + patent grants, and "You have the right to grant" warranty.
• `CONTRIBUTING.md` — onboarding doc covering: licensing summary (with link to LICENSE + CLA), how to sign the CLA, code conventions pointer (link to AGENTS.md), local checks (`pnpm typecheck`/`lint`/`test`), security disclosure flow.
• `.github/pull_request_template.md` — checklist that includes a CLA confirmation line for first-time contributors.
• Note MPL-2.0 `web-push` modification caveat in CONTRIBUTING (file-level copyleft if anyone vendors + modifies it).

Wiring

• If using a bot: install the GitHub App, point it at the `CLA.md` file, set required-check on PRs.
• Link CONTRIBUTING from README.

Acceptance

• `CLA.md`, `CONTRIBUTING.md`, and a PR template all exist at repo root / `.github/`.
• PR template references the CLA.
• CLA enforcement mechanism (manual signoff or bot) is documented and active.

Out of scope

• Trademark policy text (covered by chore: adopt FSL-1.1-Apache-2.0 license before public release #147's Trademark TODO).
• Drafting commercial licensing terms (only needed when an enterprise customer asks).

Context

Split out from #147 at the maintainer's request — the FSL adoption can land without CLA/CONTRIBUTING infrastructure. They're an admission ticket for opening the repo to external PRs, not for going public read-only.