Add SECURITY.md and GitHub issue templates

[zhawtof]

Summary

Standard OSS hygiene for a public template repo. No code changes.

• SECURITY.md — private reporting via GitHub Security Advisories or `security@tightknit.ai`. Defines scope (Worker entry, OAuth flow, send pipeline, Slack events ingress) and out-of-scope (admin-account-takeover scenarios, fork misconfiguration, upstream dep CVEs). Sets ack/triage/fix response targets.
• .github/ISSUE_TEMPLATE/bug_report.yml — form-based: repro, commit, area dropdown (Builder UI / Bot OAuth / User OAuth / Worker API / events / scripts / deploy / docs), env, logs. Tells reporters not to paste tokens.
• .github/ISSUE_TEMPLATE/feature_request.yml — problem / proposal / alternatives. Notes upfront that this is an opinionated template so fork-only features are usually a better fit elsewhere.
• .github/ISSUE_TEMPLATE/config.yml — disables blank issues, routes security reports to the advisory page, and points `@tightknitai/block-kit-builder` and `slack-hono` bugs upstream so this repo only collects template-level reports.

Skipped CODE_OF_CONDUCT.md per request.

Things to double-check

• `security@tightknit.ai` is the address I used in SECURITY.md — swap if you'd rather route somewhere else.
• The GitHub Security Advisory URL in `config.yml` and SECURITY.md assumes the canonical slug is `TightknitAI/block-kit-builder-template`. Same for the upstream issue links.

Test plan

• Open the New issue page on GitHub after merge — confirm Bug / Feature appear and the blank option is gone.
• Confirm the Report a vulnerability button on the Security tab works (it does so as soon as SECURITY.md is on the default branch).
• Spot-check that the upstream "contact link" entries in `config.yml` resolve to real issue trackers.

🤖 Generated with Claude Code