docs: add SECURITY.md (threat model + hardening posture)

[sam-powers]

Adds docs/SECURITY.md to make Quill's security posture legible to a reviewing engineer — not just a list of mitigations, but the reasoning behind what was and wasn't hardened.

What it documents

• Threat model. Quill's shape (local single-user macOS app, no server) and the three places real risk concentrates: the webview, the IPC/filesystem boundary, and the quill:// deep link (the one attacker-influenced entry point — any web page can fire it).
• The core finding both audit passes reached: Quill trusted deserialized data (sidecar, draft, deep-link target) more than rendered data. Hostile/corrupt annotation positions could reach doc.resolve() and white-screen the app on open.
• The four merged hardening measures, with the load-bearing code quoted:
  • security: confine file commands and validate deep-link targets #57 — filesystem-command extension confinement + deep-link canonicalize/regular-file validation
  • security: validate deserialized annotation data on load #58 — single-source annotation sanitization at both deserialization boundaries
  • security: restrict link and update-banner URLs to safe schemes #59 — URL-scheme allowlists on link marks and the update banner
  • security: harden claude binary resolution #60 — binary resolution gated on a real file
• Two deliberate non-fixes, with rationale: asset-protocol $HOME/** scope (can't narrow without breaking the editor; <img> can't exfiltrate) and the remote-image beacon (inherent to Markdown, constrained by CSP).
• What the posture does not cover, stated plainly.

Doc-only; no code change. All four referenced fixes are already merged to main.

🤖 Generated with Claude Code