Initial WatchLink scaffold

SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Version
+
+WatchLink is pre-release. Security fixes apply to the current `main` branch.
+
+## Reporting
+
+Report vulnerabilities privately to the repository owner. Do not open public issues for secrets, authentication bypasses, or data exposure.
+
+## Baseline Rules
+
+- Do not commit `.env`, tokens, private keys, certificates, or database dumps.
+- Change `NEXTAUTH_SECRET` before production use.
+- Use a strong Postgres password in production.
+- Store Gitea registry credentials in repository or organization secrets.
+- Review `docs/security-review.md` before release work.