security: implement pentest remediation (PROXY-001, BURN-001, RATE-001)

PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production
- validate_security_config() checks for missing proxy secret
- Additional warning when PKI enabled without proxy secret
- Tests for security configuration validation

BURN-001: HEAD requests now trigger burn-after-read deletion
- Prevents attacker from probing paste existence before retrieval
- Updated test to verify new behavior

RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage
- Default 10000 unique IPs tracked
- Prunes oldest entries when limit exceeded
- Protects against memory exhaustion DoS

Test count: 284 -> 291 (7 new security tests)

PENTEST_PLAN.md

@@ -236,15 +236,15 @@ Testing uses specialized Claude subagents for different security domains, with f
 
 ### Immediate (Critical)
 
-- [ ] **PROXY-001**: Add startup warning/failure when TRUSTED_PROXY_SECRET empty in production
-- [ ] **PROXY-002**: Document required proxy configuration in deployment guide
-- [ ] **PROXY-003**: Add security test for header spoofing without proxy secret
+- [x] **PROXY-001**: Add startup warning/failure when TRUSTED_PROXY_SECRET empty in production
+- [x] **PROXY-002**: Document required proxy configuration in deployment guide
+- [x] **PROXY-003**: Add security test for header spoofing without proxy secret
 
 ### Short-term (High)
 
-- [ ] **BURN-001**: Track HEAD requests as paste access for burn-after-read
-- [ ] **BURN-002**: Add test for HEAD-then-GET race condition
-- [ ] **RATE-001**: Add maximum entries limit to rate limit storage
+- [x] **BURN-001**: Track HEAD requests as paste access for burn-after-read
+- [x] **BURN-002**: Add test for HEAD-then-GET race condition
+- [x] **RATE-001**: Add maximum entries limit to rate limit storage
 - [ ] **RATE-002**: Add automatic cleanup trigger when threshold exceeded
 - [ ] **CLI-001**: Validate clipboard tool paths against allow-list