feat(gain-web): security + supply-chain pane (tier 1 / depends #162)

[thehoff]

Background

#162 ships the gain --web dashboard reading from history.db. The Tirith gate and supply-chain check write to two separate JSONL files outside that DB:

• `~/Library/Application Support/contextcrawler/downgrades.jsonl` (Tirith block + downgrade events)
• `~/Library/Application Support/contextcrawler/supply_chain.jsonl` (per-install verdicts + findings)

The CLI `contextcrawler security` and `security log --histogram` already surface this data. The dashboard does not.

Proposed scope (tier 1 — no schema change)

New endpoints (read-only, JSONL tail with byte cap — mirrors existing `tirith_gate::read_recent_downgrades` discipline):

• `GET /api/security/gate` — downgrades histogram (by rule_id, by action) + recent N events
• `GET /api/security/supply-chain` — verdict counts (allow/block/skip), top blocked packages, recent block events

New dashboard pane "Security" with cards: gate block rate, supply-chain block rate, top blocked packages leaderboard, recent block timeline.

Why now

• The data exists; only the surface is missing.
• The Hoff's security posture is operational and proactive — needs glanceable visibility.
• Sets up tier 2 (feat(gain-web): per-project install ledger + UI (tier 2 / depends #171) #172 — per-project install ledger) which adds a DB-backed installs table.

Out of scope

• New schema (deferred to feat(gain-web): per-project install ledger + UI (tier 2 / depends #171) #172).
• Project-scoped filtering of security events (deferred to feat(gain-web): per-project install ledger + UI (tier 2 / depends #171) #172).
• Cross-machine federation, alerting, auth.

Effort

S — 1-2 days.

Dependencies

Depends on #162 landing first (this pane plugs into the same SPA + nav).