docs(security): Wave 6 security audit + report templates (SEC-01…SEC-31)

[ericmt-98]

What

Lands the security audit doc and the per-issue report templates that the published security-audit issues link to. Without these files in main, the delivery links in those issues 404.

• docs/SECURITY_AUDIT_WAVE6.md — full audit, 3 batches:
  • Batch 1 (SEC-01…11, [SEC-01] Flag mockStellar puede bypassear verificación de firma en producción #208–[SEC-11] Mismatch cliente/servidor en el flujo de autenticación #218) — auth, HTLC/QR, keypair storage, JWT, deep links, ZK root, etc.
  • Batch 2 (SEC-12…21, [SEC-12] Bypass total de x402: prefijo mock: en X-PAYMENT sin gate de entorno #243–[SEC-21] CORS comodín (origin: *) en toda la API + ausencia de cabeceras de seguridad #252) — x402 payment layer + uncovered server routes (credentials, bazaar, agent/swaps, demo, fund, ramp) + CORS/headers.
  • Batch 3 (SEC-22…31, [SEC-22] (App movil) Lecturas directas de localStorage esquivan el secure storage nativo #254–[SEC-31] (App movil) El flag de demo de build (VITE_DEMO_MODE) puede quedar embebido en el APK release #263) — mobile app (micopay/frontend, Capacitor/APK): secure-storage bypass, clipboard secret, trade-state override, CSP, App Links, QR parser, demo flag. Honest scope note: native Android hardening (backup/cleartext/debuggable/minify) is already correct and not reported.
• docs/security-reports/SEC-01…SEC-31 — one delivery template per issue.

Delivery flow (how contributors report)

Maintainer assigns one contributor per issue → the contributor fills docs/security-reports/SEC-XX-*.md (Resultado / Evidencia / Reproducible en testnet / Hallazgos / Fix) → opens a PR (Drips-trackable) or comments on the issue. Mirrors the research VALIDATION_DRIPS.md model: one file per issue → no merge conflicts.

Notes

• SEC-12…31 are grounded in real file:line and ship with repro steps.
• Each of the 20 new issues was edited to add a "Cómo entregar" section linking to its template here.

🤖 Generated with Claude Code

[ericmt-98]

Cerrado por redundante: el documento de auditoría docs/SECURITY_AUDIT_WAVE6.md ya está en main, y los reportes por issue están aterrizando directo en main conforme los contribuidores los entregan (ya hay 20). Las plantillas en blanco de este PR dejaron de ser necesarias y generaban conflictos, así que no se mergean.