docs: update for v1.5.0 features

- Add PKI audit logging, request duration metrics to features list
- Update test count from 216 to 283
- Add audit.py and metrics.py to project structure
- Document audit logging in api.md
- Update TASKLIST.md with completed tasks
- Update TODO.md (remove resolved debt items)
- Update ROADMAP.md decision log

ROADMAP.md

@@ -28,7 +28,10 @@ FlaskPaste v1.5.0 is deployed with comprehensive security hardening and abuse pr
 - CLI with list, search, update, export commands
 - Public certificate registration (PoW-protected)
 - CLI register command for certificate enrollment
-- Comprehensive test suite (216 tests)
+- Comprehensive test suite (283 tests)
+- PKI audit logging (certificate lifecycle events)
+- Request duration metrics (Prometheus histogram)
+- Memory leak detection in CI pipeline
 
 ## Phase 1: Hardening (Complete)
 
@@ -44,7 +47,7 @@ Focus: Production readiness and operational excellence.
 │ 4 │ Proxy trust validation          │ Done
 │ 5 │ Proof-of-work spam prevention   │ Done
 │ 6 │ Entropy enforcement             │ Done
-│ 7 │ Test coverage > 90%             │ Done (205 tests)
+│ 7 │ Test coverage > 90%             │ Done (283 tests)
 │ 8 │ Documentation complete          │ Done
 └───┴─────────────────────────────────┴────────────────────────────────────┘
 ```
@@ -178,6 +181,9 @@ These features will not be implemented:
 | 2024-12    | CLI encrypt-by-default             | Security-first design
 | 2024-12    | CLI retry on PoW failure           | Graceful handling of stale tokens
 | 2024-12    | Public cert registration           | Self-service onboarding with PoW protection
+| 2024-12    | PKI audit logging                  | Full certificate lifecycle traceability
+| 2024-12    | Request duration metrics           | Prometheus histogram for observability
+| 2024-12    | Memory leak CI job                 | tracemalloc-based leak detection in CI
 
 ## Review Schedule