docs: add incident response runbook for production operations (#264)

Create a comprehensive runbook covering severity levels (P1-P4) with
SLAs, incident commander role, and detailed procedures for credential
compromise, data breach, service outage, and third-party provider
incidents. Includes communication templates, post-incident review
process, and NZ Privacy Act breach notification requirements.

Reference the runbook from SECURITY.md and README.md.

Closes #243

Co-authored-by: Rodrigo Leote <rodrigol@leapthought.co.nz>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

README.md

@@ -125,6 +125,7 @@ npx playwright test
 - [Self-Hosting Guide](SELF-HOSTING.md) -- Deployment, configuration, and production setup
 - [Contributing](CONTRIBUTING.md) -- How to contribute to the project
 - [Security Policy](SECURITY.md) -- How to report vulnerabilities
+- [Incident Response Runbook](docs/INCIDENT_RESPONSE.md) -- Production incident procedures
 - [Privacy](PRIVACY.md) -- Data handling and privacy information
 - [Changelog](CHANGELOG.md) -- Release history and changes
 - [Code of Conduct](CODE_OF_CONDUCT.md) -- Community guidelines

SECURITY.md

@@ -79,6 +79,10 @@ When self-hosting MyMascada, please follow these security recommendations:
 - Keep Docker and Docker Compose updated
 - Use Docker secrets for sensitive configuration in production swarm deployments
 
+## Incident Response
+
+For production incident procedures -- including severity classification, containment steps, and communication templates -- see our [Incident Response Runbook](docs/INCIDENT_RESPONSE.md).
+
 ## Acknowledgments
 
 We appreciate the security research community's efforts in helping keep MyMascada and its users safe. Reporters of valid security issues will be acknowledged here (with permission).