ci(workflows): add stale issue and PR management workflow

[BigJohn-dev]

Closes #35

Description

• Adds .github/workflows/stale.yml using actions/stale@v9.1.0 to automatically manage inactive issues and pull requests.
• Items with 60 days of no activity are labeled stale and warned via comment; if they stay inactive for 14 more days they are closed with a closing comment. Any activity clears the stale label and resets the clock.
• Runs on a daily schedule (cron: "30 1 * * *", 01:30 UTC) and supports manual workflow_dispatch for on-demand sweeps.
• Exempts issues/PRs labeled pinned, security, or epic from being marked stale or closed.
• Scoped permissions (least privilege): issues: write, pull-requests: write, contents: read.
• Related issue: # (link the tracking issue if applicable)

Acceptance criteria coverage

Requirement	Implementation
Runs on schedule (daily)	cron: "30 1 * * *" + workflow_dispatch
Mark stale after 60 days inactivity	days-before-stale: 60
Close after 14 more days	days-before-close: 14
Label stale items with stale	stale-issue-label / stale-pr-label: stale
Comment before closing	stale-*-message (at 60d) + close-*-message (at close)
Exempt pinned, security, epic	exempt-issue-labels / exempt-pr-labels
Security issues never auto-closed	security included in exempt lists

Checklist

• Tests added or updated — N/A (CI workflow; validated via YAML lint + dry-run, see Notes)
• Documentation updated (README, docs, comments) — workflow is heavily commented inline
• Linting passes — YAML validated (yaml.safe_load)
• Type checking passes (if applicable) — N/A
• Relevant issue linked
• Changelog updated (if applicable)

Security

This change is security-relevant in a positive way: security is included in exempt-issue-labels and exempt-pr-labels, so security reports are never auto-marked stale or auto-closed, preserving coordinated-disclosure timelines. The workflow requests only the minimum permissions needed (issues: write, pull-requests: write, contents: read) and does not check out repository code or handle secrets, so it is not exposed to fork-PR code execution. No coordinated disclosure required.

Notes for reviewers

• Action pin: actions/stale@v9.1.0 is pinned to a version tag, matching the existing pr-title-lint.yml convention. If the project prefers SHA-pinning for supply-chain hardening, say so and I'll switch to the commit SHA.
• Label prerequisites: the exemptions only protect items that actually carry the pinned / security / epic labels, and the stale label should exist in the repo. Confirm these labels exist (or I can add a gh label create step / label-sync).
• How to test locally / dry-run: trigger from the Actions tab → "Mark Stale Issues and PRs" → Run workflow (workflow_dispatch). For a no-op preview that logs what would be marked/closed without mutating anything, temporarily add debug-only: true to the with: block.
• Throughput: operations-per-run: 200 caps API operations so a large backlog won't exhaust rate limits in a single run; remaining items are picked up on the next daily run.

[snowrugar-beep]

Nice work @BigJohn-dev! 🎉 The stale workflow looks well-thought-out — 60-day window, sensible exemptions (pinned, security, epic), daily schedule, and scoped permissions. CI is green, merging this in.