Add OpenSSF Baseline Level 3 compliance

[mlieberman85]

Summary

This PR adds documentation and fixes to achieve full OpenSSF Baseline Level 3 compliance.

Changes

Security Fix:

• Fixed branch name injection vulnerability in release.yaml by passing github.ref_name as an environment variable instead of direct interpolation (OSPS-BR-01.02)

New Documentation:

• DEPENDENCIES.md - Documents project dependencies and management practices
• GOVERNANCE.md - Defines project maintainers and decision-making process
• SUPPORT.md - Provides support resources and help documentation
• docs/ARCHITECTURE.md - High-level system architecture documentation
• docs/THREAT_MODEL.md - STRIDE-based threat model

Updated Files:

• SECURITY.md - Added VEX (Vulnerability Exploitability eXchange) policy section
• .github/ISSUE_TEMPLATE/bug_report.md - Added bug report template

Compliance Results

Before:

• ❌ Level 1: Not Compliant
• ❌ Level 2: Not Compliant
• ❌ Level 3: Not Compliant

After:

• ✅ Level 1: Compliant
• ✅ Level 2: Compliant
• ✅ Level 3: Compliant

Controls Fixed

Control	Description
OSPS-BR-01.02	Branch name injection prevention
OSPS-DO-02.01	Bug report template
OSPS-DO-04.01	Support documentation
OSPS-DO-06.01	Dependencies documentation
OSPS-GV-01.01	Governance documentation
OSPS-GV-01.02	Maintainer identification
OSPS-SA-01.01	Architecture documentation
OSPS-SA-03.02	Threat model
OSPS-VM-04.02	VEX policy