Add AGENTS.md and REVIEW.md for contributor and AI agent guidance

[dotjs]

Adds two contributor-facing documents:

• AGENTS.md — guidance for AI coding agents (and new human contributors) working in this repo. Covers security expectations, testing conventions, the unsafe/dependency policy, code generation and assembly rules, API/compatibility expectations, lint contract, and the escalation paths.
• REVIEW.md — a code review checklist mirroring what CI already enforces plus the human-judgement items reviewers should add on top.

Approach

Every rule is grounded in something already in the tree — .golangci.yaml, go.mod, .github/workflows/ci-actions.yml, the Makefile, or specific recent commits. The goal was to encode the tacit conventions a maintainer already follows so that a new contributor (or AI agent) starts from the same baseline, without inventing aspirational policy.

Notable choices:

• Frames the bar as "correct and justified," not "frozen" — matches the README's experimental-library disclaimer.
• Cites concrete precedent commits for input-validation patterns (sign/bls, ecc/bls12381, zk/qndleq, pki), KAT regeneration (91088f2), and shadow checks (6223887).
• Treats unsafe as permitted-but-scrutinized, reflecting actual usage in simd/keccakf1600, internal/sha3, dh/csidh, ecc/fourq.
• Reproduces the depguard allowlist verbatim from .golangci.yaml.
• Points to the existing security policy (HackerOne / [email protected]) for vulnerability disclosure rather than inventing a new flow.

Happy to iterate on any specifics — these are intended as a living baseline the maintainers own going forward, not a finished policy document.

---

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[cjpatton]

Looks good, thank you Andrew!