chore: add project governance files

Author: gk16

CODE_OF_CONDUCT.md

@@ -0,0 +1,5 @@
+# Code of Conduct
+
+This project adopts the [Contributor Covenant v2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) as its code of conduct.
+
+Please report any concerns via [GitHub Issues](https://github.com/AgentAnycast/agentanycast/issues) (for non-sensitive matters) or [GitHub Security Advisories](https://github.com/AgentAnycast/agentanycast/security/advisories/new) (for sensitive matters).

SECURITY.md

@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| latest  | Yes       |
+
+## Reporting a Vulnerability
+
+**Please do NOT open a public GitHub issue for security vulnerabilities.**
+
+Instead, please use [GitHub Security Advisories](https://github.com/AgentAnycast/agentanycast/security/advisories/new) to report vulnerabilities privately.
+
+Please include:
+
+1. Description of the vulnerability
+2. Steps to reproduce
+3. Affected component(s)
+4. Impact assessment (if possible)
+
+## Response Timeline
+
+- **Acknowledgement**: within 48 hours
+- **Initial assessment**: within 7 days
+- **Fix or mitigation**: depends on severity, typically within 30 days
+
+## Security Design
+
+AgentAnycast uses end-to-end encryption (Noise_XX protocol + NaCl box) for all P2P communication. The relay server cannot read message content. See the [Architecture documentation](https://github.com/AgentAnycast/agentanycast/blob/main/docs/architecture.md) for details.
+
+## Disclosure Policy
+
+We follow [coordinated disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure). We will work with you to understand and address the issue before any public disclosure.
+
+## Recognition
+
+We appreciate responsible disclosure and will credit reporters (with permission) in release notes.