docs: add public source disclaimers to threat intel data (#226)

All threat actor profiles, campaign data, and attack chain templates now include explicit disclaimers that the information is derived exclusively from publicly available sources (CISA, FBI, vendor reports, court documents, news). No non-public or proprietary incident data is included.

Author: depalmar

data/threat-actor-ttps/README.md

@@ -1,5 +1,7 @@
 # Threat Actor TTP Database
 
+> **Data Disclaimer**: All threat intelligence in this database is derived **exclusively from publicly available sources** including government advisories (CISA, FBI, NSA, NCSC), vendor threat reports, academic research, court documents, and news reporting. **No non-public, proprietary, or confidential incident data is included.** This data is provided for educational purposes only.
+
 This directory contains comprehensive threat actor profiles, campaign data, and attack chain templates based on documented TTPs from MITRE ATT&CK and public threat intelligence reports.
 
 ## Purpose

data/threat-actor-ttps/actors/alphv.json

@@ -1,6 +1,7 @@
 {
   "id": "alphv",
   "name": "ALPHV",
+  "data_disclaimer": "All information in this profile is derived exclusively from publicly available sources including government advisories (CISA, FBI), vendor threat reports, court documents, and news reporting. No non-public or proprietary incident data is included.",
   "aliases": ["BlackCat", "Noberus", "ALPHV BlackCat"],
   "country": "Russia",
   "attributed_to": "Russian-speaking ransomware-as-a-service operation, believed to include former DarkSide/BlackMatter members",

data/threat-actor-ttps/actors/scattered_spider.json

@@ -1,6 +1,7 @@
 {
   "id": "scattered_spider",
   "name": "Scattered Spider",
+  "data_disclaimer": "All information in this profile is derived exclusively from publicly available sources including government advisories (CISA, FBI), vendor threat reports, court documents, and news reporting. No non-public or proprietary incident data is included.",
   "aliases": ["Roasted 0ktapus", "UNC3944", "Octo Tempest", "Star Fraud", "0ktapus"],
   "country": "United States/United Kingdom",
   "attributed_to": "Loosely organized cybercriminal group, primarily young adults (16-22 years old)",

data/threat-actor-ttps/attack-chains/identity_compromise.json

@@ -1,6 +1,7 @@
 {
   "id": "identity-compromise",
   "name": "Identity Provider and Cloud Compromise",
+  "data_disclaimer": "All information is derived exclusively from publicly available sources including government advisories, vendor threat reports, and news reporting. No non-public incident data is included.",
   "description": "Modern attack pattern targeting identity providers (Okta, Azure AD/Entra ID, Google Workspace) and cloud infrastructure. Increasingly used by sophisticated actors who understand that compromising identity = compromising everything.",
   "typical_actors": ["Scattered Spider", "APT29", "LAPSUS$"],
   "notable_examples": ["MGM Resorts", "Okta breach", "Microsoft token theft"],

labs/lab36-threat-actor-profiling/data/threat_actor_profiles.json

@@ -1,4 +1,5 @@
 {
+  "data_disclaimer": "All threat actor information is derived exclusively from publicly available sources including government advisories (CISA, FBI, NSA), vendor threat reports, academic research, court documents, and news reporting. No non-public or proprietary incident data is included.",
   "actors": [
     {
       "id": "apt29",