Bump NEXT_CHANGELOG to v1.0.0 and add SECURITY.md support policy

[simonfaltum]

Why

The next CLI release is v1.0.0, the first generally available major release (the previous shipped release was v0.299.2; v0.300.0 was only a placeholder in NEXT_CHANGELOG.md, never released). The release notes need to reflect the v1.0 milestone, and SECURITY.md needs to document how long the 0.x line will continue to receive patches so users have a clear migration window.

Changes

Before: NEXT_CHANGELOG.md headed the next release as v0.300.0 (placeholder) with no GA messaging. SECURITY.md only had a one-line vulnerability reporting paragraph; no statement of which versions are supported.

Now:

• NEXT_CHANGELOG.md heads the next release as v1.0.0 (jumping from the v0.299.2 released line) and opens Notable Changes with a one-line GA statement: first major release, semver from here on, 0.299.x continues to get security-critical patches through June 2027 with a pointer to SECURITY.md.
• SECURITY.md gets a Supported Versions table at the top: 1.x (full support), 0.299.x (security-critical patches only, through June 2027), < 0.299 (not supported), plus a short paragraph explaining the policy.

Conflicts likely with #5272 (also touches NEXT_CHANGELOG.md Notable Changes). Whichever lands first, the other rebases.

Test plan

• ./task checks clean (tidy, whitespace, links, deadcode).
• Manual review of rendered Markdown for both files.
• Confirm June 2027 date and "security-critical patches only" wording match the announced support policy.

This pull request and its description were written by Claude.

[github-actions]

Waiting for approval

Based on git history, these people are best suited to review:

• @janniklasrose -- recent work in ./
• @pietern -- recent work in ./
• @denik -- recent work in ./

Eligible reviewers: @andrewnester, @anton-107, @renaudhartert-db, @shreyas-goenka

_{Suggestions based on git history. See OWNERS for ownership rules.}