add release artifacts: license, CI, tests, and policy docs

- MIT LICENSE
- CHANGELOG.md (CalVer, first entry 2026.04.15)
- CODE_OF_CONDUCT, CONTRIBUTING, SECURITY, SUPPORT policies
- docs/release.md covering preflight, tagging, rollback
- GitHub Actions CI running shell syntax, shellcheck,
  desktop-file-validate, script tests, and nix flake check
- tests/ harness with activate-path and preflight checks;
  preflight test stubs `id` via PATH so it cannot launch real
  Steam on a developer machine where /opt/steam already exists

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| --- | --- |
+| 2026.04.15 | yes |
+
+## Reporting a Vulnerability
+
+Report vulnerabilities by opening a private security advisory on GitHub.
+If that is not available, open an issue marked `security` without exploit details and request a private contact channel.
+
+Include:
+- affected version
+- Linux distribution and kernel version
+- Steam installation type (native or Flatpak)
+- reproduction steps
+- impact summary
+
+Do not publish working exploit details before a fix is available.