docs: add public security audit report with remediation status

## Summary

- Adds `docs/security/audit-2026-02-12.md` — a polished, public-facing
version of the February 2026 independent security audit report
- Updates `SECURITY.md` with a link to the audit report under a new
"Security Audits" section

### Audit Report Contents

- **18 findings** (SEC-001 through SEC-018) with full descriptions,
severity, CWE references, and remediation status
- **14 remediated** across PRs #139, #140, #141, and #142
- **4 accepted risk** (informational findings with documented rationale)
- **Findings summary table** at the top for quick reference
- **Coverage matrix** showing validation status across all 9 server
packages
- **CWE Top 25 mapping** and **OWASP compliance** comparison
- **14 positive findings** (POS-001 through POS-014) documenting
architectural security strengths

### PR-to-Finding Mapping

| PR | Findings |
|----|----------|
| #139 | SEC-003, SEC-004, SEC-005, SEC-013 |
| #140 | SEC-002, SEC-008, SEC-009, SEC-010, SEC-014 |
| #141 | SEC-001, SEC-006, SEC-011 |
| #142 | SEC-007, SEC-012 |

## Test plan

- [ ] Verify markdown renders correctly on GitHub
- [ ] Verify all PR links resolve correctly
- [ ] Verify SECURITY.md link to audit report works
- [ ] Confirm no sensitive information is included (all findings are
already public knowledge via merged PRs)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: Dave-London

SECURITY.md

@@ -24,6 +24,10 @@ Include:
 
 This policy covers all packages published under the `@paretools` npm scope.
 
+## Security Audits
+
+- [February 2026 Audit](docs/security/audit-2026-02-12.md) — 18 findings, 14 remediated, 4 accepted risk
+
 ## Supported Versions
 
 | Package                 | Supported |