Security hardening: rate limiting, atomic locks, origin check, honest docs

API / Security:
- Add api/_helpers.php: shared send_security_headers(), verify_origin(),
  get_hmac_secret(), check_rate_limit(), read_json_locked(), write_json_locked()
- shorten.php: remove Access-Control-Allow-Origin:*, restrict to same-origin,
  rate-limit 20 req/h per IP, atomic JSON read+lock, HMAC secret from file
- verify.php: rate-limit GET (30/min) and POST (10/h) per IP, atomic lock,
  prevent overwriting existing proofs, origin check on POST
- node.php: fix rate limit from 1000 to 60 req/min, add security headers,
  origin check
- check-short.php: add security headers, re-derive signature server-side
- s.php: use file-based HMAC secret via get_hmac_secret(), hash_equals()
  for timing-safe comparison

Service Worker:
- sw.js: navigation requests (mode=navigate) never served from cache;
  network-first with offline fallback to prevent stale invoice state

Documentation (honest claims):
- README: tagline "No backend" -> "No tracking"; new Architecture table
  listing exactly what server sees for each feature; Security Model section
- index.html: meta description and footer updated from "No Backend" to
  "Minimal Backend"
- i18n.js footer: already updated in previous commit

README.md

@@ -1,6 +1,6 @@
 # xmrpay.link — Monero Invoice Generator
 
-> Private. Self-hosted. No accounts. No backend for accounts. No bullshit.
+> Private. Self-hosted. No accounts. No tracking. No bullshit.
 
 **[Live: xmrpay.link](https://xmrpay.link)** · **[Tor: mc6wfe...zyd.onion](http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion)**
 
@@ -12,12 +12,28 @@
 
 Enter your address, the amount, an optional description — and get a QR code, a shareable short link, and a PDF invoice. Done.
 
-### Privacy & Transparency
+### Architecture & Transparency
 
-- **Client-side first:** All cryptographic operations (QR codes, payment verification, PDF generation) run in your browser. Your private keys never leave your device.
-- **Minimal backend:** Optional short URLs, fiat rate caching, and proof storage use a small server component with **no account tracking**. You can self-host or use the public instance.
-- **HMAC-signed short URLs:** Invoice hashes are cryptographically signed to detect server-side tampering.
-- **Address privacy:** Payment proofs are verified client-side only; the server never stores your XMR address.
+xmrpay.link uses a **minimal backend** for the following specific purposes:
+
+| Component | Where it runs | What the server sees |
+|-----------|--------------|---------------------|
+| QR code generation | Browser only | Nothing |
+| PDF invoice | Browser only | Nothing |
+| Payment (TX) verification | Browser only | Nothing |
+| Fiat exchange rates | Server (CoinGecko proxy) | Your IP address |
+| Short URL storage | Server | Invoice hash (address + amount + description), HMAC-signed |
+| Payment proof storage | Server | TX hash + amount — **not** your XMR address |
+
+**Self-hosting** eliminates any trust in the public instance.  
+**No short links** (use the long `/#...` URL or QR code) = zero server involvement.
+
+### Security Model
+
+- **HMAC-signed short URLs:** Hashes are signed with a server-side secret. Clients verify the signature on load to detect tampering.
+- **Address never stored:** Payment verification is cryptographic and runs client-side. The server never learns your XMR address.
+- **Rate-limited APIs:** All write endpoints are rate-limited per IP.
+- **Origin-restricted:** API endpoints reject cross-origin requests.
 
 ---