docs: add CONTRIBUTING.md

From the PR description

Summary

Adds a CONTRIBUTING.md following open-source best practices for a project at this stage.

What's included

• Ways to contribute - bug reports, feature requests, code, docs; sets expectations for non-code contributors (relevant given the legal audience)
• Security disclosure path - directs reporters to GitHub private advisories before opening a public issue; important given Mike handles sensitive legal documents
• Local dev setup - the key env vars and startup commands in one place, so contributors don't have to hunt through README
• Branch/PR workflow - fix/<issue>-<slug> / feat/<issue>-<slug> naming, conventional commits, Closes #N in PR body
• Tests-first requirement - stated explicitly as a requirement, not a suggestion
• Database migration conventions - BEGIN/COMMIT, rollback script, pre-flight comments; codifies the pattern established in recent migration work
• Code of conduct - one-liner pointing to Contributor Covenant v2.1

What's intentionally omitted

No CLA, no DCO, no CODEOWNERS file - all add friction that slows early-stage contributions more than they help. These can be added if the project grows to a point where they're needed.

Proposed comment for maintainer review

This is a proposed first draft - happy to adjust the tone, add/remove sections, or align with any contribution norms you already have in mind. A few specific things worth your call:

• 72-hour security response SLA - adjust or remove if that's not a commitment you want to make publicly yet
• "Tests required" - I've stated this as a hard requirement based on how recent PRs have been reviewed; soften to a strong preference if that better reflects your intent
• DOWNLOAD_SIGNING_SECRET / USER_API_KEYS_ENCRYPTION_SECRET in the env example - included because they're now required after recent security hardening; the README may need a matching update