docs: add governance, roadmap, and security docs for OpenSSF Silver

[joshua-temple]

Problem

The OpenSSF Best Practices Silver criteria require a set of project documents cascade does not yet have: a code of conduct, a documented governance and roles model, a continuity and succession plan, a public roadmap, a security-requirements statement, and an assurance case (threat model and trust boundaries). The contribution docs also need an explicit test policy and coding standard.

Stacked on #396.

Fix

• CODE_OF_CONDUCT.md (Contributor Covenant) at the repo root.
• GOVERNANCE.md: decision model, roles and who holds them, and a continuity and succession plan.
• ROADMAP.md: public direction covering the next year, including explicit non-goals.
• docs/security-requirements.md: the security goals and trust model users can rely on.
• docs/assurance-case.md: threat model, trust boundaries, secure-design argument, and the argument that common weaknesses are countered.
• CONTRIBUTING.md: added a test policy (tests required for new functionality, e2e scenarios for generator changes) and a coding-standard section.
• README.md: a Project governance section linking the new documents.

The new docs/*.md files sit at the docs/ root, which the Astro Starlight site does not source (its loader globs only docs/src/content/docs/), so they are reachable via stable GitHub URLs without affecting the docs site. Architecture references point to the existing architecture documentation rather than duplicating it.

Verification

• go build ./... and go test ./... pass (docs-only change).
• Astro docs site builds unchanged (17 pages; root markdown correctly ignored).
• All relative links resolve; guardrails clean.

Maintainer follow-ups (in the docs as placeholders)

• Fill the Code of Conduct reporting contact.
• Continuity plan: designate a backup maintainer, place the signing key and passphrase in an org-controlled lockbox, and confirm org owners can restore repo access.