v1 readiness: CHANGELOG + threat model + first-run onboarding polish

- CHANGELOG.md: Keep-a-Changelog format, v1.0.0 entry summarising
  what each phase delivered.
- docs/threat-model.md: structured walkthrough of assets, actors,
  attack surfaces and residual risks; reviewed against v1.0.0.
- cmd/server/main.go: at first-run startup, print a clickable
  $RM_BASE_URL/bootstrap URL alongside the existing one-shot
  bootstrap token (or a fallback hint when RM_BASE_URL is unset).
- web/templates/pages/bootstrap.html: visible "Minimum 12 characters"
  hint under the password field so the rule is communicated
  before the operator submits.
- tasks.md: close X-01, X-04, X-05 with notes.

web/templates/pages/bootstrap.html

@@ -36,6 +36,7 @@
         <label class="field-label" for="bs-pw">Password</label>
         <input id="bs-pw" name="password" type="password" class="field"
                required minlength="12" autocomplete="new-password" />
+        <div class="field-help">Minimum 12 characters.</div>
       </div>
       <div>
         <label class="field-label" for="bs-pw2">Confirm password</label>