Improve segmentation service mesh and egress evidence

[wowsofine]

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources (not blogs or AI output)
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with Codex against the segmentation skill file
• No prohibited patterns per SECURITY.md
• index.yaml update not required because this improves an existing skill

What This PR Does

This improves skills/network/segmentation/SKILL.md by adding service mesh and egress evidence gates for cloud-native segmentation reviews.

The new SEG-MESH-01 through SEG-MESH-06 checks cover mesh enrollment, strict workload identity, service authorization policy coverage, egress allowlists, bypass controls such as hostNetwork and excluded ports, and a default-deny fallback when mesh policy is absent or fails.

I also added a Service Mesh and Egress Evidence matrix to the report template so findings can map directly to the reviewed artifacts.

Framework References

• NIST SP 800-207 Zero Trust Architecture, especially per-session resource access and policy enforcement points
• CIS Controls v8 Control 12, network infrastructure management and secure architecture
• Kubernetes NetworkPolicy and service mesh policy patterns cited in the skill references

Testing

• git diff --check -- skills/network/segmentation/SKILL.md
• Markdown fence balance check
• content marker check for SEG-MESH-01 through SEG-MESH-06
• content marker check for AuthorizationPolicy, PeerAuthentication, CiliumNetworkPolicy, and hostNetwork

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors or maintainer-confirmed private method

[wowsofine]

Bounty claim note: requesting consideration for the moderate improver bounty (USD 100).

This PR adds SEG-MESH-01 through SEG-MESH-06 and the Service Mesh and Egress Evidence matrix to reduce missed segmentation evidence for Istio/Linkerd/Cilium/Calico environments, including mesh enrollment, mTLS, authorization coverage, egress allowlists, bypass controls, and default-deny fallback.