docs: Add pentest results and update project docs

Executed non-invasive pentest against amber-maple (v1.12-dev):
- Phase 1: mDNS, port scan, binary analysis, eFuse readout
- Phase 2: HMAC timing, command injection (27 tests), replay (6 tests)
- Phase 3: NVS analysis, CVE check (12 CVEs), binary structure
All network-facing tests PASS. Physical security gaps documented.

ROADMAP.md

@@ -154,8 +154,21 @@ Note: Promiscuous mode (probe/deauth capture) disabled on original ESP32 — bre
 - [x] OTA rollback validation (crasher firmware + bootloader rollback confirmed)
 - [x] Tagged v1.11.0 and OTA deployed to all 3 sensors
 
-## v1.12 - Monitoring & Multi-Target (unreleased)
+## v1.12 - Security Hardening & Monitoring (unreleased)
 - [x] ALERT command (temp/heap thresholds, EVENT emission, 60s holdoff, NVS persisted)
+- [x] Auth whitelist (read-only queries only without HMAC)
+- [x] AUTH OFF disabled remotely (serial/FACTORY only)
+- [x] STATUS split (minimal unauthed vs full authed)
+- [x] Rate limiter (50ms throttle, 20 cmd/s)
+- [x] NVS write throttle (20 writes per 10s)
+- [x] CSI buffer bounds checking (UDP_REM macro)
+- [x] PMF required (`CONFIG_ESP_WIFI_PMF_REQUIRED=y`)
+- [x] mDNS stripped to hostname-only (no service advertisement)
+- [x] Serial console AUTH management
+- [x] Auto-generated auth secret on first boot
+- [x] Pentest completed: 50+ tests, all network-facing tests PASS
+- [ ] Enable stack canaries (`CONFIG_COMPILER_STACK_CHECK_MODE_NORM`)
+- [ ] Enable heap poisoning (`CONFIG_HEAP_POISONING_LIGHT`)
 - [ ] Multi-target (send data to 2+ UDP destinations)
 
 ## Web Backend (`~/git/esp32-web/`)