Improve threat modeling sequence-state coverage

[IvanchitorJR]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: threat-modeling
Skill path: skills/appsec/threat-modeling/

What Was Wrong

The existing skill has strong STRIDE and DFD coverage, but it treats most workflows as static component/data-flow relationships. That can miss temporal flaws where each component appears safe in isolation, but the sequence is exploitable through replay, stale authorization, duplicate delivery, or cross-account rebinding.

Concrete examples include OAuth/OIDC callbacks, password reset links, invitations, payment webhooks, checkout, refunds, approvals, and entitlement grants. These need explicit preconditions, postconditions, expiry, replay controls, and authorization checks at the point where state changes are applied.

What This PR Fixes

This PR adds sequence and state-transition modeling guidance to the threat-modeling skill:

• adds sequence/state descriptions to required context;
• adds a new Step 3A for multi-request workflow analysis;
• adds a transition evidence table for source state, event, destination state, required proof, expiry/replay control, and failure mode;
• expands STRIDE questions for replayable callbacks, stale intermediate state, duplicate delivery, and traceability across async/retry paths;
• adds an output table for sequence and state transition risks;
• adds common pitfalls for static-only DFD modeling and treating idempotency as authorization.

Evidence

Before (skill misses this):

Invite callback accepts invite_id=12345, grants admin immediately, has no recipient binding, tenant binding, one-time token, nonce, expiry, or final authorization re-check. The DFD still shows normal Browser -> App -> DB communication, so a static review can miss replay and stale-authorization abuse.

After (now correctly handled):

Step 3A requires the reviewer to model the transition from invite pending -> admin granted, verify single-use expiry and identity/tenant binding, and flag replayable or stale authorization transitions as High when they can grant account access or privileges.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing repository checks still pass / applicable local validation completed

Validation performed locally:

• git diff --cached --check
• frontmatter required-field check across skill and role SKILL.md files
• prompt-injection pattern scan matching the repository workflow logic
• index path existence check for all indexed files
• added fixture files are ASCII-only

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal; payout details can be provided privately after maintainer acceptance.