feat(lab2): Threagile threat model + secure variant + auth flow

[eraegar]

Goal

Add the Lab 2 Threagile baseline analysis, a hardened secure-variant model, and a focused auth-flow threat model for the bonus task.

Changes

• Added submissions/lab2.md with the baseline risk table, top-5 risks, STRIDE mapping, trust-boundary observation, secure-variant comparison, and bonus auth-flow analysis
• Added labs/lab2/threagile-model-secure.yaml as the hardened Threagile model variant
• Added labs/lab2/threagile-model-auth.yaml as a focused authentication-flow threat model written from scratch

Testing

Commands used:

docker run --rm \
  -v "$(pwd)/labs/lab2":/app/work \
  threagile/threagile:0.9.1 \
  -model /app/work/threagile-model.yaml \
  -output /app/work/output

jq '[.[] | .severity] | group_by(.) | map({severity: .[0], count: length})' \
  labs/lab2/output/risks.json

jq '[.[] | {severity, category, title, technical_asset: .most_relevant_technical_asset}] |
    sort_by(.severity) | .[:5]' \
  labs/lab2/output/risks.json

docker run --rm \
  -v "$(pwd)/labs/lab2":/app/work \
  threagile/threagile:0.9.1 \
  -model /app/work/threagile-model-secure.yaml \
  -output /app/work/output-secure

docker run --rm \
  -v "$(pwd)/labs/lab2":/app/work \
  threagile/threagile:0.9.1 \
  -model /app/work/threagile-model-auth.yaml \
  -output /app/work/output-auth

Observed results:

• Baseline model generated Threagile outputs including risks.json, data-flow-diagram.png, and data-asset-diagram.png
• Baseline risk counts were 4 elevated, 14 medium, and 5 low for a total of 23
• Secure variant reduced the total risk count from 23 to 20
• Auth-flow model generated a focused risk set with 3 high, 4 elevated, 21 medium, and 1 low risks
• The focused auth model surfaced auth-specific findings such as missing-authentication-second-factor, missing-identity-propagation, and unguarded-access-from-internet

Artifacts & Screenshots

• Submission file: submissions/lab2.md

• Secure variant model: labs/lab2/threagile-model-secure.yaml

• Auth-flow model: labs/lab2/threagile-model-auth.yaml

• Generated reports were reviewed locally from labs/lab2/output/, labs/lab2/output-secure/, and labs/lab2/output-auth/ and are not committed

• Title is clear (feat(lab2): <topic> style)

• No secrets/large temp files committed

• Submission file at submissions/lab2.md exists