chore: Add requirements.txt to enable full test coverage

[itinance]

Summary

Add a requirements.txt with the pinned pytest dependency so the scanner can validate its own supply chain — and so all 17 tests run instead of 14.

Problem

Without a requirements.txt, 3 tests are permanently skipped:

supply_chain_scanner/test_supply_chain.py::TestDependencyPinning::test_requirements_use_hashes_advisory SKIPPED
supply_chain_scanner/test_supply_chain.py::TestRequirementsIntegrity::test_no_direct_url_dependencies SKIPPED
supply_chain_scanner/test_supply_chain.py::TestRequirementsIntegrity::test_requirements_file_not_tampered SKIPPED

These tests check for:

1. Hash verification — whether --require-hashes is used (advisory)
2. Direct URL dependencies — git+, http:// entries that bypass PyPI (supply chain risk)
3. Requirements tampering — shell injection syntax (;, &&, $() in requirements lines

Skipping them means the scanner never validates its own dependency file — a supply chain security tool that doesn't eat its own dogfood.

Fix

Add requirements.txt with the exact pinned version:

pytest==8.4.0

Why exact pin (==) instead of range (>=)

• The pyproject.toml already declares pytest>=7.0 as the compatibility range for consumers
• requirements.txt serves a different purpose: reproducible installs for development and CI
• An exact pin in requirements.txt is the scanner's own recommendation (test_critical_packages_are_pinned)

Result

All 17 tests now run:

============================== 17 passed in 0.27s ==============================

[Desperado]

Makes sense — this enables the 3 requirements integrity tests that were skipping. Full coverage now.