chore: prepare repository for public release

- Add split licensing: AGPL-3.0 for server, Apache-2.0/MIT for all
  other crates and SDKs (Signal-style)
- Add SECURITY.md with vulnerability disclosure policy
- Add CONTRIBUTING.md with build, test, and code standards
- Add "not audited" security disclaimer to README
- Add workspace package metadata (license, repository, keywords)
- Move internal planning docs to docs/internal/ (gitignored)

CONTRIBUTING.md

@@ -0,0 +1,40 @@
+# Contributing to quicproquo
+
+## Prerequisites
+
+- **Rust toolchain** (stable) via [rustup](https://rustup.rs/)
+- **protoc** is vendored via the `protobuf-src` crate -- no system installation needed
+- Git with GPG signing configured
+
+## Building and Testing
+
+```sh
+cargo build --workspace
+cargo test --workspace
+```
+
+A `justfile` is also available for common tasks (`just build`, `just test`, `just proto`, etc.).
+
+## Code Standards
+
+### Commits
+
+- **Conventional commits**: `feat:`, `fix:`, `docs:`, `chore:`, `test:`, `refactor:`
+- Commits must be **GPG-signed**
+- Commit messages describe *why*, not just *what*
+- No `Co-authored-by` trailers
+
+### Rust
+
+- No `.unwrap()` on crypto or I/O operations outside of tests
+- Secrets must be zeroized on drop and never logged
+- No stubs, `todo!()`, or `unimplemented!()` in production code
+- Prefer clarity over cleverness; avoid unnecessary abstractions
+
+## Security Vulnerabilities
+
+Do not open public issues for security bugs. See [SECURITY.md](SECURITY.md) for responsible disclosure instructions.
+
+## Licensing
+
+The server crate (`quicproquo-server`) is licensed under **AGPL-3.0**. All other crates are dual-licensed under **Apache-2.0 / MIT**. By submitting a contribution, you agree to license your work under the applicable license(s).