Add CRA/EN 18031 threat model: asset register, trust boundaries, security controls

- security/threat_model.py: pytm-based threat model covering the full SDLC
  (runtime, GitHub Actions CI/CD, PyPI distribution). Defines 6 trust
  boundaries, 5 primary assets (PA-01..PA-05), 10 supporting assets
  (SA-01..SA-10), 8 environmental assets (EA-01..EA-08), and 15 annotated
  data flows with existing-control flags.

- doc/explanation/security.rst: Sphinx RST page documenting the asset
  register, trust boundaries, data flows, implemented controls table, and
  known gaps/residual risks — aligned with CRA Article 13 and EN 18031.

- doc/index.rst: wire security.rst into the Explanation toctree.

- pyproject.toml: add pytm==1.3.1 as a new [security] optional dependency.

- CHANGELOG.rst: record the new security documentation in 0.14.0 (unreleased).

https://claude.ai/code/session_01Rc28JtpAPWhJtA3YvS5kcr

Author: claude

CHANGELOG.rst

@@ -1,6 +1,10 @@
 Release 0.14.0 (unreleased)
 ===========================
 
+* Add CRA / EN 18031-aligned security model documentation covering asset register,
+  trust boundaries, data flows, implemented controls, and known gaps across the full
+  SDLC (runtime, CI/CD, PyPI distribution).  The threat model is maintained as
+  executable code in ``security/threat_model.py`` using the ``pytm`` framework.
 * Use ``.cdx.json`` as the default extension for CycloneDX SBOM reports (#1118)
 * Embed base64-encoded license text in SBOM ``licenses[].text`` when a license is successfully identified (#1112)
 * Set SBOM ``licenses`` to the SPDX expression ``NOASSERTION`` when a license file is not found or cannot be classified (#1112)