Add security checklist to PR template

[ojongerius]

Summary

Add a lightweight security checklist to the PR template so contributors pause to consider security implications before merging.

Suggested additions to the PR template:

• Does this PR touch crypto, auth, or secrets handling?
• If yes, have the primitives and parameters been reviewed?
• Are all inputs validated at trust boundaries?
• Have edge cases been tested (nil, empty, corrupted, concurrent)?

Context: agent-receipts/ar#54 — security issues were caught by automated review rather than upfront during development.