feat(llm-security): add 3 more runnable threat examples [skip-docs]

Three new self-contained, runnable threat demonstrations under
examples/, continuing the batch started in 583a78c. Each example
has README.md + run-*.mjs + expected-findings.md and uses
state-isolation discipline so the user's real cache/state files
are never polluted.

- examples/supply-chain-attack/ — two-layer demonstration:
  pre-install-supply-chain (PreToolUse) blocks compromised
  event-stream version 3.3.6 and emits a scope-hop advisory for
  the @evilcorp scope; dep-auditor (DEP scanner, offline) flags
  5 typosquat dependencies plus a curl-piped install-script
  vector in the fixture package.json. Maps to LLM03/LLM05/ASI04.

- examples/poisoned-claude-md/ — all 6 memory-poisoning detectors
  fire on a deliberately poisoned CLAUDE.md plus a fixture
  agent file under .claude/agents (E15/v7.2.0 surface):
  detectInjection, detectShellCommands, detectSuspiciousUrls,
  detectCredentialPaths, detectPermissionExpansion,
  detectEncodedPayloads. No agent runtime needed — scanner
  imported directly. Maps to LLM01/LLM06/ASI04.

- examples/bash-evasion-gallery/ — one disguised variant per
  T1 through T9 evasion technique fed through pre-bash-destructive,
  verified BLOCK after bash-normalize strips the evasion. T8
  base64-pipe-shell uses its own BLOCK_RULE. The canonical
  destructive form uses a path token rather than the bare slash
  (regex word-boundary requires it). Source-string fragmentation
  pattern reused from the e2e attack-chain test. Maps to
  LLM06/ASI01/LLM01.

Plugin README "Other runnable examples" section + plugin
CLAUDE.md "Examples" table + CHANGELOG Unreleased/Added
all updated. Marketplace root README unchanged
([skip-docs] for marketplace-level gate — plugin's outward
coverage is unchanged, only demonstrations were added).

plugins/llm-security/CHANGELOG.md

@@ -48,6 +48,35 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
   README enumerates the drift profile, points to
   `/security mcp-baseline-reset` for legitimate upgrades, and maps
   to MCP05 / LLM03 / ASI04.
+- `examples/supply-chain-attack/` — runnable demonstration of two
+  supply-chain layers catching the same attack from different
+  angles: `pre-install-supply-chain` (PreToolUse hook) blocks
+  `npm install event-stream@3.3.6` from the `NPM_COMPROMISED`
+  blocklist and emits a scope-hopping advisory for
+  `@evilcorp/lodash`; `dep-auditor` (offline DEP scanner) flags
+  4 typosquats (expresss / loadsh / axois / reaact / chalkk) plus
+  a `postinstall: curl -sSL ... | sh` install-script vector in the
+  fixture's `package.json`. Maps to LLM03 / LLM05 / ASI04.
+- `examples/poisoned-claude-md/` — runnable demonstration of all
+  six `memory-poisoning-scanner` detectors firing on a deliberately
+  poisoned `CLAUDE.md` plus a fixture
+  `.claude/agents/health-checker.md` (E15 / v7.2.0 agent-file
+  surface). Verifies findings from each of: detectInjection,
+  detectShellCommands, detectSuspiciousUrls, detectCredentialPaths,
+  detectPermissionExpansion, detectEncodedPayloads. No Claude Code
+  agent runtime required — scanner imported directly via ESM. Maps
+  to LLM01 / LLM06 / ASI04.
+- `examples/bash-evasion-gallery/` — runnable demonstration of the
+  T1-T9 bash evasion taxonomy (`bash-normalize.mjs`) — one disguised
+  variant per T-tag fed through `pre-bash-destructive` and verified
+  to BLOCK after normalization. T8 base64-pipe-shell uses its own
+  BLOCK_RULE rather than normalization. All cases use `rm -rf $HOME`
+  as the canonical destructive form (because the existing BLOCK
+  regex requires a word-boundary anchor on the path, which `/`
+  alone doesn't satisfy). Source-string fragmentation pattern from
+  `tests/e2e/attack-chain.test.mjs` is reused so the run-script
+  source contains no literal destructive command. Maps to LLM06 /
+  ASI01 / LLM01.
 
 ## [7.3.1] - 2026-05-01