Add basic security headers to HTTP status server (#186)

[ikaro1192]

Summary

• Wrap the WAI application with withSecurityHeaders middleware that sets X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and Cache-Control: no-store on every response (including 404 / 405).
• Expose securityHeaders, withSecurityHeaders, and securedHttpApp from PureMyHA.HTTP.Server; startHTTPServer now serves through securedHttpApp.
• Add unit tests covering the constant and every route, plus an E2E header check on /health, /cluster/e2e/status, and /metrics.
• Document the headers and their purpose in docs/http-api.md.

Closes #186.

Test plan

• cabal build all (with -Werror)
• cabal test — 617 examples, 0 failures
• make e2e-test T=13 — 25 passed, 0 failed (includes 9 new header assertions)

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.17%. Comparing base (ce00446) to head (4b4756e).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #202      +/-   ##
==========================================
+ Coverage   97.14%   97.17%   +0.02%     
==========================================
  Files          50       50              
  Lines        8066     8148      +82     
==========================================
+ Hits         7836     7918      +82     
  Misses        230      230              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.