docs: add SECURITY-HARDENING.md (HTTP/2 bomb mitigation, NetworkPolicy, resource limits)

[motsc]

Adds a production hardening guide. No behavior changes — pure docs addition.

What

• New docs/SECURITY-HARDENING.md covering:
  • HTTP/2 bomb mitigation (Codex June 2026 disclosure): patched ingress controller versions for nginx 1.29.8+, Apache mod_http2 2.0.41+ (CVE-2026-49975), Envoy/Istio guidance
  • NetworkPolicy starter spec for HyperDX UI/API
  • Recommended HyperDX deployment resource limits (cgroup OOM as DoS backstop)
  • Caveat on exposing OTLP gRPC port 4317 (HTTP/2-only) publicly
  • Upgrade cadence / advisories to subscribe to
• Link from README.md (new "Production Hardening" section)
• Link from rendered NOTES.txt footer

Why

Chart defaults are safe for development (Service ClusterIP, Ingress disabled), but production operators frequently flip Ingress on without considering the HTTP/2 termination layer. The June 2026 HTTP/2 bomb disclosure makes the pinning question urgent: nginx-ingress < 4.13.0 / Apache mod_http2 < 2.0.41 are exposed.

Out of scope

• No changes to chart templates or default values
• No new toggles or APIs

Customers who want stronger built-in defaults can follow the example values shown in the doc; not enforcing them here keeps the chart backward-compatible.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5ac3df9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR