hardening: tighten limits, immutability, and drive-letter detection

Bundled low-severity hardening:

- Lower DEFAULT_MAX_TEMPLATE_LENGTH from 1MB to 8KB. Real templates
  are under 200 bytes; the old limit allowed 0.75s parse times.
- Replace max_expressions with max_variables (default 256). A single
  {v0,v1,...,vN} expression packed arbitrarily many variables under
  one expression count, bypassing the limit.
- Store UriTemplate internals as tuples. The dataclass is frozen but
  list fields were mutable via t._parts.append(), violating the
  immutability contract.
- Coerce ResourceSecurity.exempt_params to frozenset in __post_init__
  so hash() works even when callers pass a regular set.
- Check drive letters against ASCII only. str.isalpha() is
  Unicode-aware, so is_absolute_path("Ω:foo") falsely returned True.