docs(security): add SigV4 verification + IAM enforcement reference page

[vieiralucas]

Summary

Final batch (9 of 9) for the opt-in SigV4 + IAM enforcement rollout — ships the user-facing documentation. No code changes.

• New /docs/reference/security.md: full reference for the two opt-in flags, the reserved test/test root-bypass convention, the SigV4 verification flow, the three IAM modes (off/soft/strict), the Phase 1 evaluator scope (implemented vs explicitly not), the enforced-service list (IAM, STS, SQS, SNS, S3 with ARN shapes), and a practical bootstrap-alice-then-deny example.
• limitations.md: replaced the "SigV4 signatures are not validated" section with a pointer to the new security page, explicitly listing Phase 1 scope so users don't expect Condition blocks or resource-based policies.
• services/iam.md: updated the "Gotchas" section to describe the opt-in evaluation path instead of "policies are stored but not evaluated".
• README.md: added a "Why fakecloud" bullet calling out opt-in SigV4 verification + IAM enforcement as a differentiator.

What shipped across the full rollout

Batch	PR	Contents
1	#388	Config flags + IamMode + is_root_bypass + startup WARN
2	#389	STS temp credential secret persistence + credential_secret lookup
3	#390	SigV4 cryptographic verification (canonical request, signing key chain, constant-time compare, ±15min skew, 6 E2E tests)
4	#391	Principal resolution + PrincipalType classifier + AwsRequest.principal plumbing
5	#392	Phase 1 IAM policy evaluator (Allow/Deny precedence, Action/Resource wildcards, 29 unit tests)
6	#394	ServiceMetadata hooks on AwsService + dispatch enforcement wiring + soft/strict audit logging
7	#395	IAM + STS enforcement (128 + 8 actions) + 8 E2E tests proving the full pipeline end-to-end
8	#399	SQS + SNS + S3 enforcement (20 + 34 + 74 actions) + 5 more E2E tests
9	this PR	Docs, README, website

Enforcement surface: IAM, STS, SQS, SNS, S3 — matches the same services LocalStack Pro ships for its paid IAM feature.

Cubic caught 5 real bugs across the rollout (identified by cubic): multi-byte panic on root-bypass prefix check, PrincipalType::Root fallback silently bypassing enforcement, pathed IAM user names not resolving, CreateServiceLinkedRole wrong parameter, S3 ?attributes/?restore missing method guards, SNS CreateTopic account id inconsistency, SNS ConfirmSubscription wrong ARN field. All fixed on the same PRs they were raised on.

Test plan

• cargo clippy --workspace --all-targets -- -D warnings clean (docs-only PR, no new code)
• Website builds (Zola) — no dead links to the new page
• /docs/reference/security page renders with all internal links resolving

---

Summary by cubic

Adds a new security reference page documenting opt-in SigV4 verification and Phase 1 IAM enforcement, and updates limitations, IAM docs, and README to point to it. No code changes.

• New Features - New features added
  • New docs/reference/security.md covering --verify-sigv4, --iam off|soft|strict, reserved test/test root-bypass, SigV4 verification flow, Phase 1 IAM scope, enforced services (IAM, STS, SQS, SNS, S3), and a quick-start example.
  • docs/reference/limitations.md: replaces the old SigV4 note with a link to the new page and the Phase 1 scope.
  • docs/services/iam.md: updates “Gotchas” to describe opt-in evaluation and what’s out of scope.
  • README.md: adds a “Why fakecloud” bullet highlighting opt-in SigV4 + IAM (--verify-sigv4, --iam) with a link to the security docs.

^{Written for commit 63002b1. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 4 files