docs: update documentation after pentest remediation

- TASKLIST.md: add pentest tasks to completed section
- TODO.md: add observation about pentest completion
- ROADMAP.md: update test count (301), add decision log entry
- PROJECT.md: update test count (301)
- SECURITY.md: remove obsolete limitations, add v1.5.0 changes

SECURITY.md

@@ -215,10 +215,8 @@ FLASKPASTE_POW_SECRET="$(openssl rand -hex 32)"
 
 ## Known Limitations
 
-1. **No rate limiting per IP** - Delegated to reverse proxy
-2. **No user accounts** - PKI handles identity
-3. **No audit log** - Standard request logging only
-4. **Single-node only** - SQLite limits horizontal scaling
+1. **No user accounts** - PKI handles identity
+2. **Single-node only** - SQLite limits horizontal scaling
 
 ## Reporting Vulnerabilities
 
@@ -260,6 +258,8 @@ Security fixes are released as soon as possible. Subscribe to repository release
 
 | Version | Security Changes |
 |---------|------------------|
+| 1.5.0   | Pentest remediation (15 items): timing attack prevention, serial collision detection, lookup rate limiting, content hash locking, anti-flood memory limits, CLI path validation, SSL hostname verification, config permission checks |
+| 1.4.0   | Anti-flood dynamic PoW, IP-based rate limiting, audit logging |
 | 1.2.0   | Password protection with PBKDF2, code modernization |
 | 1.1.0   | E2E encryption, entropy enforcement, burn-after-read |
 | 1.0.0   | Initial release with core security features |