security: implement pentest remediation (PROXY-001, BURN-001, RATE-001)

PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production
- validate_security_config() checks for missing proxy secret
- Additional warning when PKI enabled without proxy secret
- Tests for security configuration validation

BURN-001: HEAD requests now trigger burn-after-read deletion
- Prevents attacker from probing paste existence before retrieval
- Updated test to verify new behavior

RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage
- Default 10000 unique IPs tracked
- Prunes oldest entries when limit exceeded
- Protects against memory exhaustion DoS

Test count: 284 -> 291 (7 new security tests)

PROJECT.md

@@ -151,6 +151,6 @@ A self-hosted pastebin API that:
 │ Public certificate registration │ Complete
 │ CLI register command            │ Complete
 │ systemd deployment              │ Complete (security-hardened)
-│ Test suite                      │ 284 tests passing
+│ Test suite                      │ 291 tests passing
 └─────────────────────────────────┴────────────────────────────────────────────┘
 ```