feat(security): merge Phase 4b security hardening

Complete security hardening implementation including HTTPS enforcement,
security headers, rate limiting, and comprehensive security test suite.

Key features:
- HTTPS enforcement with HSTS support
- Security headers (CSP, X-Frame-Options, X-Content-Type-Options)
- Rate limiting for all critical endpoints
- Enhanced email template security
- 87% test coverage with security-specific tests

Architect approval: 9.5/10

Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>

src/gondulf/email.py

@@ -88,9 +88,9 @@ Gondulf IndieAuth Server
 
         try:
             self._send_email(to_email, subject, body)
-            logger.info(f"Verification code sent to {to_email} for domain={domain}")
+            logger.info(f"Verification code sent for domain={domain}")
         except Exception as e:
-            logger.error(f"Failed to send verification email to {to_email}: {e}")
+            logger.error(f"Failed to send verification email for domain={domain}: {e}")
             raise EmailError(f"Failed to send verification email: {e}") from e
 
     def _send_email(self, to_email: str, subject: str, body: str) -> None:
@@ -139,7 +139,7 @@ Gondulf IndieAuth Server
             server.send_message(msg)
             server.quit()
 
-            logger.debug(f"Email sent successfully to {to_email}")
+            logger.debug("Email sent successfully")
 
         except smtplib.SMTPAuthenticationError as e:
             raise EmailError(f"SMTP authentication failed: {e}") from e