create-threat-model

# Create Threat Model Analyze the current codebase and produce a structured threat model at `.turbo/threat-model.md`. The threat model describes the current state of the codebase: what it protects, where trust boundaries are, how it can be attacked, what defenses exist, and how severe each risk is. It is descriptive, not prescriptive. Do not include remediation recommendations. Optional: `$ARGUMENTS` may specify scope (directories, modules, or focus areas). When scope is provided, limit reconnaissance and code discovery to the specified directories or modules. Still produce all four sections, but title the overview to reflect the narrowed scope and note what is excluded. ## Step 1: Reconnaissance Build a mental model of the system before analyzing threats. 1. Read the project README, CLAUDE.md, and any architecture or security documentation. 2. Examine top-level directory structure, build files, and dependency manifests to identify modules, languages, frameworks, and deployment model. 3. **Classify the application type**: library, CLI tool, web service, desktop app, mobile app, or hybrid. This determines which threat categories and trust boundary patterns apply. 4. Identify security-critical dependencies (crypto libraries, auth providers, network stacks, native/FFI libraries). Note what this codebase delegates versus what it owns. 5. Read any existing security documentation: `SECURITY.md`, audit reports, threat models, or changelog entries mentioning CVEs. ## Step 2: S...