[Repo Assist] docs: add SECURITY.md with vulnerability reporting policy and security model

[github-actions]

🤖 This is an automated draft PR from Repo Assist, an AI assistant.

Summary

Adds a SECURITY.md file to the repository root. GitHub automatically detects this file and surfaces a "Security policy" link on the repository page, making it easy for users to know how to report vulnerabilities responsibly.

Why

• The extension spawns an external executable (phpcbf) and reads/writes temp files. It's worth being transparent about the security model.
• A security policy is a baseline good-practice for any open-source project. GitHub's Community Standards checklist will mark it as complete once merged.
• Users who discover a potential issue (e.g., someone constructing a malicious workspace settings.json to redirect executablePath) now have a clear path to report it.

Content

• Supported versions table (only current release is actively supported)
• Reporting instructions — open a [Security] issue or contact the maintainer directly for sensitive disclosures
• Security model — transparent description of: process spawning, temp-file handling, absence of network access, and standard-path considerations

Test Status

✅ Unit tests pass: npm run test:unit — 7/7 pass (documentation-only change, no code modified)

Generated by Repo Assist · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@346204513ecfa08b81566450d7d599556807389f