chore: add LICENSE, SECURITY policy, and Dependabot config

[rbrenton]

Summary

Adds the three governance baseline items missing from the repository:

• LICENSE — Apache-2.0 (matches pom.xml and native/Cargo.toml declarations). Resolves the gap where the license is declared in build files but no top-level LICENSE file exists, which blocks adoption by license-aware downstream consumers and Maven Central / GitHub License detection.
• SECURITY.md — Routes vulnerability reports to GitHub's private vulnerability reporting (already enabled on this repo). Establishes a responsible disclosure path so security issues don't get filed as public issues.
• .github/dependabot.yml — Weekly updates for Maven (root), Cargo (native/), and GitHub Actions. Tantivy/Quickwit ecosystem deps are grouped to avoid PR spam.

Test plan

• Confirm GitHub renders LICENSE as Apache-2.0 in the repo header
• Confirm SECURITY tab appears in the repo navigation
• Verify Dependabot creates initial PRs after merge (may take ~24h)

[claude]

Claude finished @rbrenton's task —— View job

---

PR Review Progress

Reviewing this governance housekeeping PR for:

• Read repository context and setup instructions
• Analyze LICENSE file for correctness and consistency
• Review SECURITY.md for proper vulnerability reporting setup
• Check dependabot.yml configuration for security and correctness
• Verify no build-breaking issues or merge conflicts
• Provide final review feedback

Review Analysis Complete

✅ LICENSE File Review

• Format: Standard Apache-2.0 license text is correct and complete
• Copyright Notice: Properly set to "2025 IndexTables Contributors" (line 189)
• Consistency: Matches declared license in pom.xml (Apache License, Version 2.0) and native/Cargo.toml (Apache-2.0)
• No Issues Found: License file is properly formatted and consistent with build declarations

✅ SECURITY.md Review

• Structure: Well-organized with clear reporting instructions
• Reporting Path: Correctly routes to GitHub's private vulnerability reporting
• URL Validation: GitHub security advisory URL format is correct
• Scope Coverage: Appropriately covers tantivy4java and references upstream projects
• No Security Issues: Proper responsible disclosure guidance

✅ Dependabot Configuration Review

• YAML Structure: Syntax appears valid with proper indentation and structure
• Ecosystems: Correctly configured for Maven (root), Cargo (native/), and GitHub Actions
• Schedule: Consistent weekly updates on Monday across all ecosystems
• Rate Limiting: Appropriate limits (10 for Maven/Cargo, 5 for Actions)
• Grouping Strategy: Smart grouping of test dependencies and tantivy ecosystem packages
• No Security Issues: Configuration follows security best practices

✅ Build Integration Analysis

• No Merge Conflicts: No conflict markers found in any files
• File Paths: All file paths are standard and appropriate
• Dependencies: No new runtime dependencies introduced
• Maven Central: LICENSE file enables proper license detection for Maven Central publishing

Final Review Assessment

No issues found. This is a clean governance housekeeping PR that adds essential project infrastructure without introducing any bugs, security issues, or build problems. The files are properly formatted, consistent with existing declarations, and follow best practices for open source projects.

Recommendation: ✅ APPROVE

---