Document the security headers

[gloskull]

Motivation
The project ships a non-trivial set of HTTP hardening headers and a per-route CSP in src/lib/securityHeaders.ts (used from next.config.ts) that were not documented, leaving contributors unsure about unsafe-inline/unsafe-eval, how connect-src is derived from the API base, and how to safely add allowed origins.
Description
Add docs/security-headers.md documenting the full response header map, every CSP directive emitted by buildCsp(), the originOf()/connect-src behavior, the rationale for script-src 'unsafe-inline' and isDev-only 'unsafe-eval', and guidance for safely adding or relaxing origins and directives.
Cross-link the new reference from the README security section so the architecture is discoverable for contributors, and call out the relationship to the pre-paint theme script in src/app/layout.tsx and the source files that own the behavior (src/lib/securityHeaders.ts, next.config.ts).
Testing
Ran a source cross-check with rg to verify every documented header and directive appears in src/lib/securityHeaders.ts, next.config.ts, src/app/layout.tsx, docs/security-headers.md, and README.md, and the grep check succeeded.
Ran npm run lint, which failed due to unrelated pre-existing lint errors in src/components/Header.tsx and a test file, so lint did not pass in this environment.
Ran npm run build, which was blocked in this environment by Google Fonts fetch failures during next/font fetches (network/resource errors), so a full build could not be completed here.
Closes #158

[gloskull]

** @mikewheeleer please merge.
If there are anymore tasks, even greater that 10 tasks please assign to me, i'd make sure to complete them in 2hours and submit PR**

[mikewheeleer]

solid — merging this 🙌