chore: initial MCP preparation package

14-file blueprint including:
- sources.yml with data source provenance
- 12 golden contract tests with native-language search terms
- 5-6 drift detection anchors
- MCP Registry + npm package configs
- Vercel deployment config (SMALL tier)
- Security policies and issue templates

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/SECURITY-SETUP.md

@@ -0,0 +1,49 @@
+# Security Setup Guide (Internal)
+
+## Required Secrets
+
+Configure these secrets in the GitHub repository settings:
+
+| Secret | Purpose | Source |
+|--------|---------|--------|
+| `NPM_TOKEN` | npm publishing with provenance | npm.js account (Ansvar org) |
+| `VERCEL_TOKEN` | Vercel deployment | Vercel dashboard |
+| `VERCEL_ORG_ID` | Vercel organization | Vercel dashboard |
+| `VERCEL_PROJECT_ID` | Vercel project | Vercel dashboard |
+
+## MCP Registry Publishing
+
+Registry publishing uses Azure Key Vault for signing:
+
+- **Vault:** `kv-ansvar-dev`
+- **Key:** `mcp-registry-signing-key`
+- **Algorithm:** ECDSA P-384
+- **DNS Auth:** `ansvar.eu` TXT record
+
+To publish:
+```bash
+mcp-publisher login dns azure-key-vault \
+  --domain="ansvar.eu" \
+  --vault "kv-ansvar-dev" \
+  --key "mcp-registry-signing-key"
+
+mcp-publisher publish
+```
+
+## Branch Protection
+
+Enable these rules on `main`:
+- Require pull request reviews (1 reviewer)
+- Require status checks to pass (ci, contract-tests)
+- Require branches to be up to date
+- Do not allow bypassing the above settings
+
+## Security Scanning
+
+All 6 scanners are configured in `.github/workflows/ci.yml`:
+- CodeQL (semantic SAST)
+- Semgrep (pattern SAST)
+- Trivy (dependency CVE)
+- Gitleaks (secret detection)
+- Socket Security (supply chain)
+- OSSF Scorecard (security posture)