security: implement CRYPTO-001 and TIMING-001 remediations

CRYPTO-001: Certificate serial collision detection
- Add _generate_unique_serial() helper for database-backed PKI
- Add _generate_unique_serial() method for in-memory PKI class
- Check database for existing serial before certificate issuance
- Retry with new random serial if collision detected (max 5 attempts)

TIMING-001: Constant-time database lookups for sensitive queries
- Add dummy PBKDF2 verification when paste not found
- Prevents timing-based enumeration (attackers can't distinguish
  'not found' from 'wrong password' by measuring response time)

tests/test_cli_security.py

@@ -43,8 +43,8 @@ class TestClipboardPathValidation:
     def test_untrusted_unix_paths(self, fpaste):
         """Paths in user-writable directories should be rejected."""
         assert fpaste.is_trusted_clipboard_path("/home/user/bin/xclip") is False
-        assert fpaste.is_trusted_clipboard_path("/tmp/xclip") is False
-        assert fpaste.is_trusted_clipboard_path("/var/tmp/malicious") is False
+        assert fpaste.is_trusted_clipboard_path("/tmp/xclip") is False  # noqa: S108
+        assert fpaste.is_trusted_clipboard_path("/var/tmp/malicious") is False  # noqa: S108
         assert fpaste.is_trusted_clipboard_path("./xclip") is False
         assert fpaste.is_trusted_clipboard_path("") is False
 
@@ -70,7 +70,7 @@ class TestClipboardPathValidation:
         """find_clipboard_command should reject tools in untrusted paths."""
         with patch("shutil.which") as mock_which:
             # Untrusted path should be rejected
-            mock_which.return_value = "/tmp/malicious/xclip"
+            mock_which.return_value = "/tmp/malicious/xclip"  # noqa: S108
             result = fpaste.find_clipboard_command(fpaste.CLIPBOARD_READ_COMMANDS)
             assert result is None