Fix four review findings: EA ordering, SA-01 label, line-number ref, security package

pyproject.toml:
- Remove "security" and "security.*" from setuptools include list; the
  threat model is a source-checkout-only compliance tool and must not be
  bundled as a top-level namespace package in the distributed wheel.

security/threat_model.py:
- Declare gh_repository (EA-03) before gh_actions_runner (EA-04) to match
  numeric order in the RST asset register.
- Rename gh_actions_runner label from "EA-04: GitHub Actions Runner" to
  "EA-04: GitHub Actions Infrastructure" to match doc/explanation/security.rst.
- Rename dfetch_cli label from "SA-01: dfetch CLI" to "SA-01: dfetch Process"
  to match the Supporting Assets table in security.rst.

doc/explanation/security.rst:
- Remove hard-coded line number from path-traversal control entry; reference
  the function symbol check_no_path_traversal() and file only so the doc
  stays correct after refactors.

https://claude.ai/code/session_01Rc28JtpAPWhJtA3YvS5kcr

Author: claude

doc/explanation/security.rst

@@ -25,6 +25,14 @@ using the `pytm`_ framework.  Regenerate analysis output with:
    python -m security.threat_model --dfd    # Graphviz DFD (stdout)
    python -m security.threat_model --report # STRIDE findings report
 
+.. note::
+
+   The ``security/`` package is intentionally excluded from built wheels and is
+   **not** installed by ``pip install dfetch[security]``.  These commands must
+   be run from a source checkout with the repository root on ``PYTHONPATH`` (or
+   simply from the repository root, where Python resolves the ``security``
+   package automatically).
+
 .. note::
 
    The ``--seq`` and ``--dfd`` commands require **PlantUML** and **Graphviz**
@@ -399,10 +407,11 @@ with the security controls that are currently implemented.
        in ``ci.yml`` propagates secrets to test and docs workflows triggered
        on PR — a malicious workflow step could exfiltrate secrets.
    * - DF-12
-     - GitHub Actions Runner → GitHub Repository
+     - GitHub Repository → GitHub Actions Runner
      - HTTPS
-     - CI checkout and build.  ``persist-credentials: false`` on all checkout
-       steps; all third-party actions pinned by commit SHA.
+     - CI checkout and build.  GitHub Actions checks out source from the
+       repository into the runner.  ``persist-credentials: false`` on all
+       checkout steps; all third-party actions pinned by commit SHA.
    * - DF-13
      - GitHub Actions Runner → PyPI
      - HTTPS
@@ -439,7 +448,7 @@ The following controls are already in place and are reflected in the
        ``pathlib.Path.resolve``), then rejects any path whose resolved prefix
        does not start with the resolved root.  Applied to every file copy and
        post-extraction symlink.
-       ``dfetch/util/util.py`` — ``check_no_path_traversal`` at line 277
+       ``check_no_path_traversal()`` in ``dfetch/util/util.py``
    * - Decompression-bomb protection
      - SA-05, PA-02
      - Archives are rejected if uncompressed size exceeds 500 MB or the member

pyproject.toml

@@ -113,7 +113,7 @@ security = ["pytm==1.3.1"]
 dfetch = "dfetch.__main__:main"
 
 [tool.setuptools.packages.find]
-include = ["dfetch", "dfetch.*", "security", "security.*"]
+include = ["dfetch", "dfetch.*"]
 
 [tool.setuptools.package-data]
 dfetch = ["resources/*.yaml"]

security/threat_model.py

@@ -91,14 +91,6 @@
     "hashes — the integrity.hash field is optional."
 )
 
-gh_actions_runner = ExternalEntity("EA-04: GitHub Actions Runner")
-gh_actions_runner.inBoundary = boundary_github
-gh_actions_runner.description = (
-    "Microsoft-operated ephemeral runner executing CI/CD workflows. "
-    "Egress policy is 'audit' (not 'block') — exfiltration of secrets is possible "
-    "if any workflow step is compromised."
-)
-
 gh_repository = ExternalEntity("EA-03: GitHub Repository")
 gh_repository.inBoundary = boundary_github
 gh_repository.description = (
@@ -107,6 +99,14 @@
     "can modify repository state and trigger releases."
 )
 
+gh_actions_runner = ExternalEntity("EA-04: GitHub Actions Infrastructure")
+gh_actions_runner.inBoundary = boundary_github
+gh_actions_runner.description = (
+    "Microsoft-operated ephemeral runner executing CI/CD workflows. "
+    "Egress policy is 'audit' (not 'block') — exfiltration of secrets is possible "
+    "if any workflow step is compromised."
+)
+
 pypi = ExternalEntity("EA-05: PyPI / TestPyPI")
 pypi.inBoundary = boundary_pypi
 pypi.description = (
@@ -124,7 +124,7 @@
 
 # ── Processes ────────────────────────────────────────────────────────────────
 
-dfetch_cli = Process("SA-01: dfetch CLI")
+dfetch_cli = Process("SA-01: dfetch Process")
 dfetch_cli.inBoundary = boundary_dev_env
 dfetch_cli.description = (
     "Python CLI entry point dispatching to: update, check, diff, add, remove, "
@@ -320,7 +320,7 @@
     "RISK: 'secrets: inherit' in ci.yml propagates ALL secrets to test and docs workflows."
 )
 gh_workflows.storesSensitiveData = False
-gh_workflows.hasWriteAccess = True   # PRs can modify .github/workflows/ definitions
+gh_workflows.hasWriteAccess = True  # PRs can modify .github/workflows/ definitions
 gh_workflows.classification = Classification.RESTRICTED
 gh_workflows.controls.isHardened = True
 
@@ -414,9 +414,11 @@
 )
 df03_tls.protocol = "HTTPS / SSH"
 df03_tls.controls.isEncrypted = True
-df03_tls.controls.isHardened = True    # BatchMode=yes, --non-interactive
+df03_tls.controls.isHardened = True  # BatchMode=yes, --non-interactive
 
-df03_plain = Dataflow(dfetch_cli, remote_git_svn, "DF-03b: Fetch VCS content — svn:// / http://")
+df03_plain = Dataflow(
+    dfetch_cli, remote_git_svn, "DF-03b: Fetch VCS content — svn:// / http://"
+)
 df03_plain.description = (
     "git fetch over http:// or SVN over svn:// (plain, non-TLS). "
     "dfetch accepts these protocols without enforcement — no TLS check in manifest "
@@ -428,7 +430,9 @@
 df03_plain.controls.isEncrypted = False
 df03_plain.controls.isHardened = False
 
-df04_tls = Dataflow(remote_git_svn, dfetch_cli, "DF-04a: VCS content inbound — HTTPS/SSH")
+df04_tls = Dataflow(
+    remote_git_svn, dfetch_cli, "DF-04a: VCS content inbound — HTTPS/SSH"
+)
 df04_tls.description = (
     "Repository tree and file content over HTTPS or SSH. Transport is encrypted. "
     "No end-to-end content hash for Git or SVN — authenticity relies on transport "
@@ -438,7 +442,9 @@
 df04_tls.controls.isEncrypted = True
 df04_tls.controls.providesIntegrity = False  # no end-to-end hash for git/svn content
 
-df04_plain = Dataflow(remote_git_svn, dfetch_cli, "DF-04b: VCS content inbound — svn:// / http://")
+df04_plain = Dataflow(
+    remote_git_svn, dfetch_cli, "DF-04b: VCS content inbound — svn:// / http://"
+)
 df04_plain.description = (
     "Repository content over unencrypted http:// or svn://. "
     "A network-positioned attacker can substitute arbitrary content without detection "
@@ -472,7 +478,9 @@
     "check_no_path_traversal(). Symlinks validated post-extraction."
 )
 df07.controls.sanitizesInput = True
-df07.controls.providesIntegrity = True
+df07.controls.providesIntegrity = (
+    False  # integrity is conditional on hash presence (checked in DF-05/DF-06)
+)
 
 df08 = Dataflow(dfetch_cli, metadata_store, "DF-08: Write dependency metadata")
 df08.description = "Writes .dfetch_data.yaml tracking remote_url, revision, hash."
@@ -498,7 +506,7 @@
 df11.protocol = "HTTPS"
 df11.controls.hasAccessControl = True
 
-df12 = Dataflow(gh_actions_runner, gh_repository, "DF-12: CI checkout and build")
+df12 = Dataflow(gh_repository, gh_actions_runner, "DF-12: CI checkout and build")
 df12.description = (
     "GitHub Actions checks out source, installs deps, runs tests, lints, builds. "
     "persist-credentials:false on all checkout steps. "