docs: add SECURITY.md, ADRs, Mermaid diagram, and security badge

[NWarila]

Summary

• SECURITY.md: Adds supported-version policy (latest release / v1 tag), private vulnerability reporting via the GitHub Security tab, response-timeline table, and in/out-of-scope classification (scripts, workflows, reference configs; excludes upstream third-party tools).
• docs/decision-records/0001: Captures the already-shipped decision that QA scripts are standalone and stdlib-only — no shared helper module, no third-party imports. Converts reasoning from PLAN.md Resolved Decision 14.
• docs/decision-records/0002: Captures the already-shipped decision to use pull-based, manifest-driven template sync instead of push-based cross-repo credentials or git submodules. Converts reasoning from PLAN.md Resolved Decision 22 and the PR refactor: replace push-based sync with pull-based reusable workflow #4 refactor.
• docs/diagrams/qa-template-sync-flow.mmd: Mermaid flowchart of the QA and template-sync flow — from scripts/ through auto-release.yml → release tag → self-update.yml → downstream sync PR → python-qa.yml reusable workflow.
• README.md: Adds a Security Policy badge alongside the existing CI, Coverage, Python, Platform, and License badges.
• .gitignore: Adds allowlist entries for SECURITY.md and the new docs/ directory tree (deny-all model requires explicit allowlisting of every new path).

Test plan

• markdownlint passes on all new and modified .md files (verified locally: 0 errors)
• All new files appear as tracked in git status --short (verified: no files ignored)
• No AI bylines, Co-authored-by trailers, or "generated by" text in files or commit message (verified via grep)
• CI (template-ci.yml) passes on the PR