docs: add TrustScript-specific CONTRIBUTING guide (E6.3 down-payment)

Seeds contributor culture now rather than at M6 — Non-Negotiable salesforce#5
(public-by-default development) doesn't wait until launch.

docs/v2/CONTRIBUTING.md covers:
- What we accept / won't accept without a prior ADR
- Setup with the Node 22 pin callout (Node 24 breaks tree-sitter)
- Change flow: issue first, small PRs, conventional commits, docs
  in the same PR
- Code conventions inherited from .claude/rules plus TrustScript-
  specific copyright-header + SPDX rules
- New-package checklist
- ADR template + numbering rule

Explicit scope limits:
- TrustScript packages + docs/v2/ only; upstream AgentScript PRs
  still use repo-root CONTRIBUTING.md
- Release process, security disclosure, conformance submission,
  and governance docs are called out as "not yet" so the omissions
  don't look like oversights

Traces to ROADMAP E6.3 (Contributor onboarding docs). Long lead time,
so shipping now beats shipping at M6 and hoping contributors already
showed up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: mboss37

docs/v2/CONTRIBUTING.md

@@ -0,0 +1,150 @@
+# Contributing to TrustScript
+
+> This guide is for `@trustscript/*` packages and `docs/v2/`. For upstream AgentScript contributions, see the repo-root `CONTRIBUTING.md`.
+
+## What we're building
+
+TrustScript is an Apache-2.0 fork of AgentScript that adds compiler-enforced trust primitives. Read [VISION.md](./VISION.md) first — it takes 5 minutes and everything below presumes you've seen it.
+
+## Before you open a PR
+
+Read these, in order:
+1. [VISION.md](./VISION.md) — thesis and non-negotiables
+2. [ROADMAP.md](./ROADMAP.md) — current milestone and exit criteria
+3. [BACKLOG.md](../../BACKLOG.md) §Quick Guide — how epics flow into sprints
+4. Relevant ADR(s) for the area you're touching (`docs/v2/adr/`)
+
+If your contribution conflicts with a non-negotiable, it doesn't merge. If it conflicts with an ADR, either (a) your ADR supersedes it — write one, or (b) open an issue before the PR so we can discuss.
+
+## What we accept
+
+- **Bug fixes** to `@trustscript/*` packages
+- **Test coverage** for existing code (Vitest)
+- **Documentation** improvements
+- **New runtime sink adapters** that pass the conformance suite (M3+)
+- **Tier-2 LLM adapters** that pass the LLM-adapter conformance suite (per [ADR-0002](./adr/0002-llm-abstraction-strategy.md))
+- **Conforming runtime implementations** from external teams (M3+ — this is how the portability thesis gets proven)
+
+## What we won't accept without a prior ADR
+
+- New primitives that change the language (`@foo` keywords)
+- IR schema changes beyond additive fields
+- Breaking changes to `@trustscript/ir`, `@trustscript/runtime`, or `@trustscript/llm` public APIs
+- Dependencies on proprietary services or closed-source SDKs
+- Features requiring a Salesforce account or Agentforce runtime
+- Anything that relies on runtime enforcement when compile-time is feasible (Non-Negotiable #4)
+
+## Setting up
+
+```bash
+# Node 22.x required (Volta pin in package.json); Node 24 breaks tree-sitter 0.25 native build
+volta install node@22   # or: fnm use 22
+git clone <your-fork>
+cd agentscript
+pnpm install
+pnpm build
+pnpm test
+```
+
+Commands:
+- `pnpm dev` — Turbo watches all packages
+- `pnpm test` — Vitest across the monorepo
+- `pnpm typecheck` — strict TS across all packages
+- `pnpm lint` — ESLint flat config
+- `pnpm --filter @trustscript/runtime test` — scoped to one package
+
+## How a change flows
+
+1. **Pick work from BACKLOG.md** `[pending]` epics. If you want to work on something blocked, resolve the blocker first or pick a different epic.
+2. **Open an issue first** for any non-trivial change. Sketch the approach; get a review before coding.
+3. **Branch off main.** Feature branches stay short-lived (<1 week).
+4. **Write tests first** where practical. Vitest; one assertion per test when possible.
+5. **Keep PRs small.** <400 lines changed. Split if larger.
+6. **Conventional commits** — `feat:`, `fix:`, `docs:`, `refactor:`, `test:`, `chore:`.
+7. **Update docs in the same PR** as the code change. TrustScript docs in `docs/v2/`; ADRs in `docs/v2/adr/`.
+8. **Sign your commits** (DCO) if you're contributing on behalf of an organization.
+
+## Code conventions
+
+Inherited from `.claude/rules/conventions.md`:
+- Files under 400 lines, functions under 50 lines
+- Named exports, no default exports
+- Explicit error handling — no empty catch blocks
+- Validate input at system boundaries (parser, runtime entry, CLI argv)
+- **No `any` types.** Ever. If you need to escape the type system, use `unknown` and narrow.
+
+TrustScript-specific:
+- **Copyright header** on every new file:
+  ```
+  /*
+   * Copyright (c) 2026 TrustScript contributors
+   * SPDX-License-Identifier: Apache-2.0
+   */
+  ```
+- Files modified from upstream `@agentscript/*` carry an additional `/* modified by TrustScript contributors */` line. (Not required during M1 additive-in-place dev; enforced at M1 close per ADR-0014.)
+- Every runtime feature ships with a conformance test when the conformance suite exists (M3+).
+
+## Review expectations
+
+- Core team reviews within 3 business days for straightforward changes.
+- Architectural PRs (new packages, schema changes, ADRs) get a deeper review — budget a week.
+- Reviews focus on: correctness, type safety, conformance, non-negotiable alignment. Style is linter's job.
+- Reviews are public-by-default per Non-Negotiable #5. Don't expect private feedback channels.
+
+## Adding a new package
+
+If you're creating `@trustscript/foo`:
+1. `packages/trustscript-foo/` directory
+2. `package.json` with `@trustscript/foo` scope, Apache-2.0 license, `type: "module"`
+3. `tsconfig.json` extending the root config
+4. `src/index.ts` with copyright header
+5. README with at minimum: purpose, exports, milestone it targets
+6. Register in `pnpm-workspace.yaml` — it auto-picks up `packages/*`
+7. Add dependency line to any package consuming it: `"@trustscript/foo": "workspace:*"`
+
+## Working with ADRs
+
+Every architectural decision gets an ADR. Template:
+
+```
+# ADR-NNNN: <one-line summary>
+**Status**: Proposed | Accepted | Superseded by ADR-NNNN
+**Date**: YYYY-MM-DD
+**Deciders**: <names or "core team">
+
+## Context
+What's the forcing question? What's the constraint?
+
+## Options considered
+1. ...
+2. ...
+3. ...
+
+## Decision
+We chose X because Y.
+
+## Consequences
+- Good: ...
+- Bad: ...
+- Reversibility: yes / no / expensive
+
+## Follow-ups
+- Any downstream ADRs or open questions.
+```
+
+Number sequentially from the highest existing ADR. Don't skip or renumber.
+
+## Reporting security issues
+
+Do not open a public issue for security vulnerabilities. Email the maintainers (contact TBD before M2) or use GitHub's private vulnerability reporting.
+
+## Licensing
+
+All contributions are Apache-2.0. By submitting a PR, you affirm your contribution complies with Apache-2.0 §5 (contribution licensing) and is yours to contribute.
+
+## What this doc does NOT cover yet
+
+- Release process (changesets workflow) — docs land at M2 with the first non-foundational release
+- Security disclosure process — formalized at M3 alongside signed tool catalog
+- Conformance test submission process — defined at M3 when `@trustscript/conformance` ships
+- Maintainer succession / governance — formalized only if the project grows to warrant it