a0c94cb3d3
§1.6 — Threat Model & Hardening Trade-offs: New section in BEST-PRACTICES.md §2.1 explains why Defender/Firewall/UAC are disabled in the template VM: - Current state: tradeoff table (AV overhead vs attack surface, firewall fragility, UAC blocking elevated WinRM) - Acceptable conditions: isolated lab, trusted code, no host sharing, VMnet8 not exposed - Breaking conditions: untrusted code builds, shared host, LAN-exposed network - Mitigations: how to re-enable each feature with specific cost/benefit trade-offs Addresses security documentation gap — future modifications to security posture can now reference this single authoritative source. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>