chore: add repo-root .coderabbit.yaml (workspace standard)

[27Bslash6]

Missing standard tooling: repo-root .coderabbit.yaml

This repo has no repo-root .coderabbit.yaml, so CodeRabbit silently falls back to the org-dashboard default. That means:

• ❌ request_changes_workflow is off — CodeRabbit can't cast formal approve / request-changes review votes (its top-level @coderabbitai approve/resolve commands are disabled).
• ❌ No profile: assertive, no per-language path_instructions, no gitleaks/actionlint/yamllint enforcement.

Note: an org-level .github/.coderabbit.yaml is ignored — the config must live at the repo root (or the dashboard).

Rollout status

The workspace standard exists in saas, saas-infra, cachekit-py, and now brochure, but was never rolled to the remaining repos. This issue tracks adding it here.

Acceptance criteria

• Add /.coderabbit.yaml mirroring the standard reviews block:
  • profile: "assertive", request_changes_workflow: true, high_level_summary: true, review_status: true, auto_review.enabled: true / drafts: false
• Tailor path_instructions + tools to this repo's stack (don't copy dead rules):
  • Rust repos → keep the **/*.rs block (unsafe/unwrap/Result, FFI buffer/null checks, zeroize secrets); enable no Python/Docker tools
  • TS repos → **/*.ts block (strict, no any, no unhandled rejections); eslint/biome
  • Encryption-critical code (**/encryption/**, byte_storage) → AAD/key-length/nonce checks, cross-ref protocol spec
  • Spec/markdown repos → markdown + protocol-compliance guidance; drop code tools
  • All repos → .github/workflows/** SHA-pin rule; gitleaks, actionlint, yamllint, shellcheck
• Validate YAML parses; open PR.

Templates

• saas/.coderabbit.yaml — canonical reviews block + full path_instructions
• brochure/.coderabbit.yaml (PR #24, commit 61da59f) — frontend-tailored example (a11y + no-secret-literal + verifiable-claims guidance)

chore: — non-releasing.