chore: prepare repository for public release

- Add split licensing: AGPL-3.0 for server, Apache-2.0/MIT for all
  other crates and SDKs (Signal-style)
- Add SECURITY.md with vulnerability disclosure policy
- Add CONTRIBUTING.md with build, test, and code standards
- Add "not audited" security disclaimer to README
- Add workspace package metadata (license, repository, keywords)
- Move internal planning docs to docs/internal/ (gitignored)

README.md

@@ -210,11 +210,9 @@ mdbook serve docs    # http://localhost:3000
 - [Scaling Guide](docs/operations/scaling-guide.md) — resource sizing, horizontal scaling, capacity planning
 - [Monitoring](docs/operations/monitoring.md) — Prometheus metrics, Grafana dashboards, alert rules
 
-## Security
+## Security Status
 
-This project has **not undergone a formal third-party audit**. See the [threat model](docs/src/cryptography/threat-model.md) for details.
-
-If you discover a security vulnerability, please report it privately.
+> **This software has not undergone an independent security audit.** While it implements cryptographic best practices (MLS RFC 9420, OPAQUE, zeroization, constant-time comparisons), no third-party firm has reviewed the implementation. Do not rely on it for high-risk communications until an audit is completed. See [SECURITY.md](SECURITY.md) for our vulnerability disclosure policy.
 
 ## License