Fix four review findings: EA ordering, SA-01 label, line-number ref, security package

pyproject.toml:
- Remove "security" and "security.*" from setuptools include list; the
  threat model is a source-checkout-only compliance tool and must not be
  bundled as a top-level namespace package in the distributed wheel.

security/threat_model.py:
- Declare gh_repository (EA-03) before gh_actions_runner (EA-04) to match
  numeric order in the RST asset register.
- Rename gh_actions_runner label from "EA-04: GitHub Actions Runner" to
  "EA-04: GitHub Actions Infrastructure" to match doc/explanation/security.rst.
- Rename dfetch_cli label from "SA-01: dfetch CLI" to "SA-01: dfetch Process"
  to match the Supporting Assets table in security.rst.

doc/explanation/security.rst:
- Remove hard-coded line number from path-traversal control entry; reference
  the function symbol check_no_path_traversal() and file only so the doc
  stays correct after refactors.

https://claude.ai/code/session_01Rc28JtpAPWhJtA3YvS5kcr

Author: claude

doc/explanation/security.rst

@@ -439,7 +439,7 @@ The following controls are already in place and are reflected in the
        ``pathlib.Path.resolve``), then rejects any path whose resolved prefix
        does not start with the resolved root.  Applied to every file copy and
        post-extraction symlink.
-       ``dfetch/util/util.py`` — ``check_no_path_traversal`` at line 277
+       ``check_no_path_traversal()`` in ``dfetch/util/util.py``
    * - Decompression-bomb protection
      - SA-05, PA-02
      - Archives are rejected if uncompressed size exceeds 500 MB or the member

pyproject.toml

@@ -113,7 +113,7 @@ security = ["pytm==1.3.1"]
 dfetch = "dfetch.__main__:main"
 
 [tool.setuptools.packages.find]
-include = ["dfetch", "dfetch.*", "security", "security.*"]
+include = ["dfetch", "dfetch.*"]
 
 [tool.setuptools.package-data]
 dfetch = ["resources/*.yaml"]

security/threat_model.py

@@ -91,14 +91,6 @@
     "hashes — the integrity.hash field is optional."
 )
 
-gh_actions_runner = ExternalEntity("EA-04: GitHub Actions Runner")
-gh_actions_runner.inBoundary = boundary_github
-gh_actions_runner.description = (
-    "Microsoft-operated ephemeral runner executing CI/CD workflows. "
-    "Egress policy is 'audit' (not 'block') — exfiltration of secrets is possible "
-    "if any workflow step is compromised."
-)
-
 gh_repository = ExternalEntity("EA-03: GitHub Repository")
 gh_repository.inBoundary = boundary_github
 gh_repository.description = (
@@ -107,6 +99,14 @@
     "can modify repository state and trigger releases."
 )
 
+gh_actions_runner = ExternalEntity("EA-04: GitHub Actions Infrastructure")
+gh_actions_runner.inBoundary = boundary_github
+gh_actions_runner.description = (
+    "Microsoft-operated ephemeral runner executing CI/CD workflows. "
+    "Egress policy is 'audit' (not 'block') — exfiltration of secrets is possible "
+    "if any workflow step is compromised."
+)
+
 pypi = ExternalEntity("EA-05: PyPI / TestPyPI")
 pypi.inBoundary = boundary_pypi
 pypi.description = (
@@ -124,7 +124,7 @@
 
 # ── Processes ────────────────────────────────────────────────────────────────
 
-dfetch_cli = Process("SA-01: dfetch CLI")
+dfetch_cli = Process("SA-01: dfetch Process")
 dfetch_cli.inBoundary = boundary_dev_env
 dfetch_cli.description = (
     "Python CLI entry point dispatching to: update, check, diff, add, remove, "