docs: add security policy and hardening guide

[joshua-temple]

Problem: the repo lacked a published security model and consumer-facing hardening guidance, and the root SECURITY.md did not link to one.

Fix:

• Finalize root SECURITY.md: supported versions, private vulnerability reporting via GitHub Security Advisories, response expectations, a Security model paragraph, and a link to the hardening guide.
• Add a Security and hardening docs page (Starlight) covering the shared-responsibility model: what cascade provides secure by construction, what is on the roadmap, what the consumer configures in GitHub and their cloud, plus an ordered hardening checklist.
• Add the page to the docs sidebar after Architecture.

Framing: this is hardening guidance and a security model, not a vulnerability disclosure. Cross-repo coordination is documented as a same-organization, shared-token model with the dispatch token as the trust boundary.

Verification: guardrail scan clean on all changed files; commit GPG-signed and DCO signed-off. Docs npm deps are not installed locally, so the Astro build was not run (no dependency changes; markdown + sidebar config only).

Note for maintainer: SECURITY.md contains an obvious placeholder alternative contact (security-contact-placeholder@example.com) to replace or delete, and a reminder to enable Private Vulnerability Reporting in repo settings.