Add threat model flow trust annotations

[malb200710-dev]

Bounty type

Skill Improvement bounty

Modified skill

skills/appsec/threat-modeling/SKILL.md

Issue

Fixes #1532

What was missing

The DFD annotation guidance was centered on point-to-point network flows. That made event-bus, serverless async, sidecar-enforced, local IPC/shared-volume, in-process SDK, and CI/CD artifact flows harder to model accurately.

What changed

• Bumped hreat-modeling to v1.0.1.
• Added extended flow annotation fields for trust model, communication type, authorization/policy point, delegation context, and artifact integrity.
• Added trust model classification for direct, mediated, sidecar, local_trust, and in_process flows.
• Added CI/CD artifact boundary evidence gates for provenance, signatures, registry integrity, pipeline identity, and deployment verification.
• Added fixtures for event bus/queue, serverless async, service mesh sidecar, shared volume/IPC, and third-party SDK patterns.
• Added DFD Flow Annotation Appendix and CI/CD Artifact Integrity Summary output sections.

Validation

• Confirmed v1.0.1 version bump.
• Confirmed extended flow annotation section is present.
• Confirmed trust model classification is present.
• Confirmed CI/CD artifact evidence gates are present.
• Confirmed example flow fixtures are present.
• Confirmed output appendix and CI/CD summary are present.
• Confirmed Markdown fence balance.

Bounty request

Requesting consideration for the SecuritySkills improver bounty if accepted/merged. Payment details can be provided privately after acceptance.