feat(lab2): Threagile threat model + secure variant + auth flow

[JoraXD]

Goal

STRIDE-based threat model of OWASP Juice Shop with Threagile: baseline model analysis, hardened secure variant, and a focused auth-flow model from scratch.

Changes

• labs/lab2/threagile-model-secure.yaml - hardened variant with HTTPS on all links, encrypted storage, token auth on proxy-to-app link, and prepared statements declaration
• labs/lab2/threagile-model-auth.yaml - auth-flow focused model written from scratch (browser, auth API, token signer, credential store, admin endpoint)
• submissions/lab2.md - risk count tables, STRIDE mapping, baseline-vs-secure diff, 3 fixed rules, 2 still-firing rules, honesty check, bonus auth-flow analysis

Testing

# Baseline
docker run --rm -v "$(pwd)/labs/lab2":/app/work \
  threagile/threagile:0.9.1 \
  -model /app/work/threagile-model.yaml \
  -output /app/work/output \
  -generate-risks-excel=false -generate-tags-excel=false
# 23 risks (4 elevated, 14 medium, 5 low)

# Secure variant
docker run --rm -v "$(pwd)/labs/lab2":/app/work \
  threagile/threagile:0.9.1 \
  -model /app/work/threagile-model-secure.yaml \
  -output /app/work/output-secure \
  -generate-risks-excel=false -generate-tags-excel=false
# 19 risks (1 elevated, 13 medium, 5 low), delta -4

# Auth flow model
docker run --rm -v "$(pwd)/labs/lab2":/app/work \
  threagile/threagile:0.9.1 \
  -model /app/work/threagile-model-auth.yaml \
  -output /app/work/output-auth \
  -generate-risks-excel=false -generate-tags-excel=false
# 40 risks (2 high, 11 elevated, 22 medium, 5 low)

Artifacts & Screenshots

• submissions/lab2.md
• labs/lab2/threagile-model-secure.yaml
• labs/lab2/threagile-model-auth.yaml

---

• Title is clear (feat(labN): <topic> style)
• No secrets/large temp files committed
• Submission file at submissions/lab2.md exists