docs: update documentation after pentest remediation

- TASKLIST.md: add pentest tasks to completed section
- TODO.md: add observation about pentest completion
- ROADMAP.md: update test count (301), add decision log entry
- PROJECT.md: update test count (301)
- SECURITY.md: remove obsolete limitations, add v1.5.0 changes

ROADMAP.md

@@ -29,7 +29,8 @@ FlaskPaste v1.5.0 is deployed with comprehensive security hardening and abuse pr
 - CLI with list, search, update, export commands
 - Public certificate registration (PoW-protected)
 - CLI register command for certificate enrollment
-- Comprehensive test suite (284 tests)
+- Comprehensive test suite (301 tests)
+- Complete security pentest remediation (15 items)
 - PKI audit logging (certificate lifecycle events)
 - Request duration metrics (Prometheus histogram)
 - Memory leak detection in CI pipeline
@@ -48,7 +49,7 @@ Focus: Production readiness and operational excellence.
 │ 4 │ Proxy trust validation          │ Done
 │ 5 │ Proof-of-work spam prevention   │ Done
 │ 6 │ Entropy enforcement             │ Done
-│ 7 │ Test coverage > 90%             │ Done (283 tests)
+│ 7 │ Test coverage > 90%             │ Done (301 tests)
 │ 8 │ Documentation complete          │ Done
 └───┴─────────────────────────────────┴────────────────────────────────────┘
 ```
@@ -188,6 +189,7 @@ These features will not be implemented:
 | 2024-12    | Memory leak CI job                 | tracemalloc-based leak detection in CI
 | 2024-12    | systemd service unit               | Security-hardened deployment example
 | 2024-12    | Rate limit headers                 | X-RateLimit-* on 201/429 responses
+| 2024-12    | Pentest remediation complete       | 15 security hardening items from formal review
 
 ## Review Schedule