AGPL just means that users can fork the project if they have access to older AGPL code, but CLAs that assign copyright mean that the rights holders can change the license whenever they want and make it difficult to find old AGPL code by removing repositories and scrubbing the web of it.
It's entirely possible for the rights holders to say "we're going private now" and pivot the project into a for-profit business.
Your license choice is perfectly fine. If you do not have CLA, you have an AGPL codebase with many people owning the copyright on portions of it.
In terms of future proofing against the project "going commercial" (i.e. changing the license going forward), it doesn't get much better than this, because pretty much all the copyright holders would need to agree on a license change.
Ideally, the bulk of the copyright does not reside with a small number of authors - the more authors, and the more evenly the copyright is spread among them, the better.
You don't need a CLA. Github's ToS are set up such that contributions you get from other github users are licensed in the same manner as your repo unless the contributor gets you to agree to accept them under some other license : https://docs.github.com/en/site-policy/github-terms/github-t.... People should not be worried about you "going private"; if you've accepted non de minimis contributions from other users, any future conveyance or network interaction stuff would require you to include the source materials to stay in compliance.
You don't need another license. You just need to either (1) not require a CLA, or (2) if you do, write the CLA so that it prevents you from doing that with others' contributions.
There isn't one, because copyright holders have all the legal right to do whatever they want. The legal owner of a copyrighted work is not beholden to the license they release the work under.
It's entirely possible for the rights holders to say "we're going private now" and pivot the project into a for-profit business.