docs: add security audit report for new features (Task 22)
Audited cloud file upload, AIUI iframe, context broker, FileBrowser
proxy, and RPC endpoints. Key findings:
- XSS: safe (Vue template escaping)
- Context broker: properly validates origins
- FileBrowser: medium risk path traversal (client-side), token in URLs
- CSRF: high risk (no tokens, but mitigated by JSON content type)
- Nginx: missing security headers
Full report: docs/security-audit-2026-03-05.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>