docs: add comprehensive threat model

STRIDE analysis covering:
- System architecture and trust boundaries
- Attack surface analysis (10 entry points)
- Threat actors (anonymous, authenticated, operator, sophisticated)
- 20+ threats with mitigations across STRIDE categories
- Security controls matrix
- MIME polyglot attack mitigations
- Cryptographic controls
- Residual risks and known limitations
- Incident response guidance

documentation/security-testing-status.md

@@ -203,7 +203,7 @@ Not tested (no signature defined):
 ```
 [ ] Add remaining MIME test results to security assessment
 [ ] Document rate limiting behavior under attack
-[ ] Create threat model diagram
+[x] Create threat model diagram (documentation/threat-model.md)
 [x] Add security headers audit to CI pipeline
 ```