docs(04-security): create phase plan

3 plans in 2 waves covering all 5 SECU requirements:
- Plan 01 (W1): Security service foundation (JWT, Ed25519, bootstrap token)
- Plan 02 (W2): Spring Security filter chain, endpoint protection, test adaptation
- Plan 03 (W2): SSE payload signing with Ed25519

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.planning/ROADMAP.md

@@ -76,10 +76,12 @@ Plans:
   2. Agents can refresh expired JWTs via the refresh endpoint without re-registering
   3. Server generates an Ed25519 keypair at startup, delivers the public key during registration, and all config-update and replay SSE payloads carry a valid Ed25519 signature
   4. Bootstrap token from CAMELEER_AUTH_TOKEN environment variable is required for initial agent registration
-**Plans**: TBD
+**Plans:** 3 plans
 
 Plans:
-- [ ] 04-01: JWT authentication filter, refresh flow, Ed25519 keypair generation and config signing, bootstrap token validation
+- [ ] 04-01-PLAN.md -- Security service foundation: JwtService, Ed25519SigningService, BootstrapTokenValidator, Maven deps, config
+- [ ] 04-02-PLAN.md -- Spring Security filter chain, JWT auth filter, registration/refresh integration, existing test adaptation
+- [ ] 04-03-PLAN.md -- Ed25519 signing of SSE command payloads (config-update, deep-trace, replay)
 
 ## Progress
 
@@ -92,4 +94,4 @@ Note: Phases 2 and 3 both depend only on Phase 1 and could execute in parallel.
 | 1. Ingestion Pipeline + API Foundation | 3/3 | Complete | 2026-03-11 |
 | 2. Transaction Search + Diagrams | 3/4 | Gap Closure |  |
 | 3. Agent Registry + SSE Push | 2/2 | Complete   | 2026-03-11 |
-| 4. Security | 0/1 | Not started | - |
+| 4. Security | 0/3 | Not started | - |