feat: deterministic supply-chain threat-model generator (v0.1)

[Davincc77]

Summary

Adds a real, deterministic, offline supply-chain threat-model generator for x.klickd skill/candidate manifests. Independent PR built on main; does not depend on or merge #115–#118.

• scripts/generate_supply_chain_threat_model.py — stdlib-only CLI. Parses a candidate manifest, computes a deterministic candidate_hash, classifies threats, emits required mitigations, renders a deterministic report, and blocks (exit 1) on any unmitigated high/critical finding.
• 7 candidate fixtures under tests/fixtures/threat-model/.
• 14-case pytest suite tests/test_supply_chain_threat_model.py.
• Internal/draft doc docs/supply-chain/THREAT_MODEL_GENERATOR.md.

Tool-backed (real)

Manifest parsing · deterministic sha256 candidate hash + threat-model id · rule-based classification across 11 categories (authority_escalation, human_veto_bypass, tool_boundary_violation, memory_poisoning, private_public_leak, evidence_weakening, unsourced_claim, unsafe_external_action, irreversible_action, compliance_overclaim, stale_or_unlicensed_source_dependency) · severity (low/medium/high/critical) · required_mitigations · block decision · deterministic report rendering · fixture-driven tests.

Planned / out of scope

Runtime/behavioural analysis of a loaded candidate · network scanning · legal/compliance assessment · promotion-gate integration · richer source freshness/license resolution (separate PR, not depended on here).

Blocking examples

Fixture	Category	Result
low_risk_ok	—	pass (exit 0)
no_veto_sensitive_action	human_veto_bypass	block
external_action_no_gate	unsafe_external_action	block
longterm_memory_no_promotion	memory_poisoning	block
private_public_leak	private_public_leak	block
evidence_false_public_claims	evidence_weakening + unsourced_claim	block
compliance_overclaim	compliance_overclaim	block

Validations run

• New threat-model tests: 14 passed.
• Pack verifier: OK, 42 packs (8 Lite, 34 Pro), hash-match.
• Candidate mapping validator: OK, 49 rows / 42 artefacts.
• Full Python suite: 195 passed.
• Node vector test: 47/47 passed (13 skipped — hash-wasm optional dep, baseline).
• Forbidden-claim / codename grep: clean (no positive compliance/superiority claim, no internal codename).

Limits & boundaries

NON-NORMATIVE. Not a security certification; does not establish GDPR or EU AI Act compliance; no benchmark-superiority / universal-standard claim; does not prove a loaded/executable skill; not full automation. Findings reflect only what the manifest declares. Human review still required.

No release / no publish / no tag / no deploy / no DOI. Public artefacts remain v4.1. Davincc77/klickd-ai untouched.

Test plan

• python3 -m pytest tests/test_supply_chain_threat_model.py -q
• python3 scripts/generate_supply_chain_threat_model.py --candidate tests/fixtures/threat-model/candidate_no_veto_sensitive_action.json → exit 1
• python3 scripts/generate_supply_chain_threat_model.py --candidate tests/fixtures/threat-model/candidate_low_risk_ok.json → exit 0

🤖 Generated with Claude Code