Add security hardening checklist to generated projects

[PAMulligan]

Description

Add a `SECURITY-CHECKLIST.md` to generated projects that provides a pre-deployment security review checklist specific to the generated API configuration.

Why

Nerva generates secure APIs by default, but security is context-dependent. A checklist reminds developers to review environment-specific settings (CORS origins, rate limits, JWT secrets) before deploying to production. This bridges the gap between "secure by default" and "secure in your environment."

Acceptance Criteria

• Generate `SECURITY-CHECKLIST.md` as part of `setup-project.sh` output
• Include checks for:
  • Replace default JWT secret with a strong, unique secret
  • Configure CORS origins (remove wildcard `*`)
  • Set rate limiting appropriate to your traffic
  • Enable HTTPS in production
  • Review database credentials (not hardcoded, use env vars)
  • Enable security headers (HSTS, CSP, etc.)
  • Run `./scripts/security-scan.sh` before deploying
  • Review Dependabot alerts
  • Configure logging (don't log sensitive data)
  • Set appropriate token expiry times
• Customize checklist based on deployment target (Workers vs Node.js)
• Customize based on auth strategy selected
• CI passes