docs: enhance PR template with security checklist

Added sections:
- Security checklist (secrets, input validation, OWASP)
- Dependency review requirements
- Backward compatibility checklist
- Performance change documentation

Author: 27Bslash6

.github/pull_request_template.md

@@ -11,7 +11,35 @@ Why are these changes needed? What problem do they solve?
 - [ ] Bug fix (non-breaking)
 - [ ] New feature (non-breaking)
 - [ ] Breaking change
+- [ ] Performance improvement
 - [ ] Documentation update
+- [ ] Refactoring (no behavior change)
+- [ ] CI/CD or tooling change
+
+---
+
+## Security Checklist
+
+**For ALL PRs, verify:**
+
+- [ ] No secrets, credentials, or API keys in code or comments
+- [ ] No hardcoded sensitive data (use env vars or config)
+- [ ] User input is validated/sanitized where applicable
+- [ ] Error messages don't leak sensitive information
+
+**For PRs touching security-critical paths** (`/rust/`, `/src/cachekit/serializers/`, `/src/cachekit/reliability/`, workflows):
+
+- [ ] Changes reviewed by security team (@cachekit-io/security)
+- [ ] No new `unsafe` blocks without justification
+- [ ] Cryptographic code uses audited libraries (no custom crypto)
+- [ ] FFI boundaries maintain memory safety guarantees
+
+**For PRs adding/updating dependencies:**
+
+- [ ] Dependency is from trusted source with active maintenance
+- [ ] No known CVEs (`pip-audit` / `cargo-audit` clean)
+- [ ] License is compatible (MIT, Apache-2.0, BSD)
+- [ ] Justified: not adding unnecessary attack surface
 
 ---
 
@@ -38,6 +66,15 @@ Why are these changes needed? What problem do they solve?
 - [ ] Integration tests added/updated
 - [ ] Tests pass: `make test-critical`
 - [ ] No test regressions
+- [ ] For performance changes: Benchmark results attached
+
+---
+
+## Backward Compatibility
+
+- [ ] API is backward compatible OR breaking change is documented
+- [ ] No removal of public APIs without deprecation period
+- [ ] Migration path documented for breaking changes
 
 ---