governance: add a Contributor License Agreement (CLA) for inbound contributions

[VijitSingh97]

Goal

Put a Contributor License Agreement in place so every inbound contribution comes with explicit, recorded IP terms. RigForge is MIT-licensed, but unlike Pithead there's currently no inbound-licensing signal at all — CONTRIBUTING.md doesn't even carry an implicit "by contributing you agree to license under MIT" line. A CLA (or a DCO) records the terms per-contributor and enforces them on the PR.

Companion to p2pool-starter-stack/pithead#292 — the two repos should land on the same mechanism so contributors get one consistent process across the org.

Decide first: CLA vs DCO

These are the two standard options — the issue is really about picking one (and matching whatever Pithead picks):

• DCO (Developer Certificate of Origin) — lightweight. Contributors add a Signed-off-by: line to each commit (git commit -s); a bot (e.g. DCO GitHub App or a GitHub Action) enforces it on PRs. No signature DB, no extra friction. Recommended for a project this size.
• Formal CLA — heavier. Contributors sign an individual (ICLA) and/or corporate (CCLA) agreement, typically via CLA Assistant or cla-assistant.io, which records signatures and gates the PR with a status check. Stronger if the project may relicense or needs explicit patent grants, but adds onboarding friction.

Given the MIT license and small-team setup, a DCO likely gives most of the benefit with the least friction.

Scope

• Decide DCO vs formal CLA — match the Pithead decision (#292) so the org is consistent.
• Add the agreement text/policy:
  • DCO → reference the standard DCO 1.1 text; document git commit -s in CONTRIBUTING.
  • CLA → add CLA.md (and CCLA.md if corporate) with the agreement text.
• Wire up enforcement on PRs:
  • DCO → DCO App / Action as a required status check.
  • CLA → CLA Assistant bot + signature recording, as a required check.
• Update CONTRIBUTING.md — add the chosen process (and an inbound-licensing statement, which is currently missing) and link it from the PR template.
• Note the requirement in the README/docs where contribution is mentioned.

Acceptance

• A contributor opening a PR is clearly told what they must do (sign-off or sign), and a status check fails until they do.
• The agreement/policy text lives in the repo and is discoverable from CONTRIBUTING and the PR template.

Notes

Related to the community-health work in #10 (which added CONTRIBUTING/SECURITY/templates but not a CLA/DCO). Whatever we pick should apply going forward; we likely don't need to retroactively chase sign-off on existing history.

[VijitSingh97]

Decision: plain MIT inbound = outbound — no formal CLA, no DCO bot (consistent with pithead#292 and p2pool-starter-stack/p2pool-starter-stack.github.io#10).

RigForge's CONTRIBUTING.md was the only one missing the inbound-licensing line, so the action here is simply to add it. PR: #121 — it adds pithead's one-liner ("By contributing, you agree that your contributions are licensed under the project's MIT License.") and closes this issue on merge.