Add security test coverage and reference documentation

- tests/test_core_validation.py: 108 unit tests for all 10 validation primitives in muse/core/validation.py (validate_object_id, validate_ref_id, validate_branch_name, validate_repo_id, validate_domain_name, contain_path, sanitize_glob_prefix, sanitize_display, clamp_int, finite_float), including a stress test that verifies contain_path rejects a corpus of traversal attempts.

- tests/test_core_xml_safe.py: 14 tests verifying SafeET.parse() correctly parses valid MusicXML, blocks Billion Laughs entity expansion, and blocks XXE file-read attacks.

- tests/test_cli_hub.py: 40 tests for muse hub connect/status/disconnect/ping — helper unit tests plus full CLI invocations with mocked network calls. Covers HTTPS enforcement, redirect refusal, JSON output structure, and identity display.

- tests/test_cli_auth.py: 31 tests for muse auth login/whoami/logout — token resolution order (env var vs flag vs getpass prompt), identity storage and retrieval, JSON output, token masking, multi-hub support.

- docs/reference/security.md: New — security architecture reference covering the trust boundary design, every validation guard, XML safety, HTTP transport hardening, snapshot integrity, identity store security, and size caps.

- docs/reference/auth.md: New — complete muse auth reference with identity file format, all three subcommands, human and agent flows, env vars, and token security best practices.

- docs/reference/hub.md: New — complete muse hub reference with hub vs remote distinction, all four subcommands, HTTPS enforcement rationale, redirect refusal design, and typical setup workflows.

- docs/reference/remotes.md: Replace stale Token Lifecycle section (pointed to config.toml) with current pointer to auth.md.

- docs/README.md: Add quick-nav links to auth.md, hub.md, security.md; update directory map; bump displayed version to v0.1.3.

All gates: mypy 0 errors, typing_audit 0 violations, 2160 tests green.