docs: add SECURITY.md with responsible disclosure policy

[chernistry]

Problem

RightLayout monitors keystrokes via CGEventTap — this is a sensitive permission. Users and security researchers need to know:

• What data does the app access?
• Does any data leave the machine?
• How to report security vulnerabilities responsibly
• What the app does and doesn't do with keystroke data

Without a SECURITY.md, security-conscious users won't install a keystroke-monitoring app. This is a trust blocker for adoption.

Proposed Solution

Create SECURITY.md in the repository root following GitHub's standard security policy format.

Proposed Content

# Security Policy

## Overview

RightLayout monitors keyboard input to detect and correct text typed in the
wrong keyboard layout. This requires macOS Accessibility permissions
(`CGEventTap`), which is a sensitive system capability.

**We take this responsibility seriously.**

## What RightLayout Does

- Monitors keystrokes ONLY to detect keyboard layout mismatches
- Performs text correction locally, on your machine
- Stores user preferences in macOS UserDefaults (local only)

## What RightLayout Does NOT Do

- ❌ Does NOT transmit any keystroke data over the network
- ❌ Does NOT log or store typed text
- ❌ Does NOT send analytics or telemetry
- ❌ Does NOT access files, contacts, or other personal data
- ❌ Does NOT work when the app is not running (no background daemons)

## Data Storage

| Data | Location | Purpose |
|------|----------|---------|
| User preferences | `~/Library/Preferences/com.chernistry.RightLayout.plist` | Settings |
| App support files | `~/Library/Application Support/RightLayout/` | Layout mappings cache |

No data is stored remotely. No accounts are created. No data leaves your machine.

## Supported Versions

| Version | Supported |
|---------|-----------|
| 1.x     | ✅ Yes    |
| < 1.0   | ❌ No     |

## Reporting a Vulnerability

If you discover a security vulnerability in RightLayout, please report it
responsibly:

1. **DO NOT** open a public GitHub issue
2. Email: **security@[your-domain]** (or use GitHub's private vulnerability reporting)
3. Include:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if any)

### Response Timeline

- **Acknowledgment**: Within 48 hours
- **Assessment**: Within 1 week
- **Fix (if confirmed)**: Within 2 weeks for critical issues
- **Disclosure**: Coordinated with reporter, typically 90 days

## Verification

You can verify RightLayout's behavior yourself:
1. Monitor network traffic with Little Snitch or Wireshark — the app makes zero network connections (except optional update checks to GitHub)
2. Review the source code — it's fully open source
3. Build from source: `swift build` — no hidden binaries

## Code Signing

Release builds are signed with an Apple Developer certificate. Verify with:
```bash
codesign -dv --verbose=4 /Applications/RightLayout.app

Contact

• GitHub Issues: For non-security bugs and feature requests
• Security issues: Use GitHub's private vulnerability reporting feature
  (Security tab → Report a vulnerability)

## Steps to Implement

1. Create `SECURITY.md` in the repository root
2. Enable GitHub's private vulnerability reporting (Settings → Security → Private vulnerability reporting)
3. Set up a security contact email (optional, GitHub reporting is sufficient)
4. Link to `SECURITY.md` from README
5. Add security badge to README: `[![Security Policy](https://img.shields.io/badge/security-policy-green)](SECURITY.md)`

## Why This Matters

- macOS users are increasingly security-aware
- Keystroke monitoring apps get extra scrutiny
- App Store reviewers look for privacy documentation
- Open-source security policy builds trust with enterprise users

## Acceptance Criteria

- [ ] `SECURITY.md` exists in the repo root
- [ ] Covers what data is accessed and what isn't
- [ ] Includes responsible disclosure instructions
- [ ] GitHub private vulnerability reporting is enabled
- [ ] README links to the security policy