[codex] Prepare public repo for wider sharing

[davidchris]

Summary

Prepares FafyCat for wider public sharing by tightening the public-facing repository surface and removing avoidable third-party browser requests from the local app UI.

What changed

• Vendor Tailwind, HTMX, and Chart.js into src/fafycat/static/vendor/ and serve them from the local FastAPI app instead of CDNs.
• Add a vendor asset manifest with upstream project, version, and license notes.
• Add the missing docs/coding-agents.md guide referenced by the README.
• Tighten README privacy language around CSV import, no account linking, and no hosted backend.
• Replace the over-specific accuracy claim with a data-dependent statement.
• Clean stale contributor docs: development setup commands, PR expectations, help channels, and Apache-2.0 license wording.

Why

The repo was close to shareable, but a wider audience would hit a broken docs link, stale contribution instructions, and privacy claims that were undermined by CDN-loaded frontend assets. This makes the public promise more accurate and the install/readme path more trustworthy.

Validation

• uvx ruff check
• uv build
• uv run pytest — 258 passed, 1 skipped, 7 deselected
• Commit/push hooks reran ruff, format, ty, and pytest successfully

Notes

GitHub reported existing Dependabot vulnerabilities on the default branch during push; this PR does not address those alerts.