Add zero trust weakest-pillar evidence gates

[malb200710-dev]

Bounty type

Skill Improvement bounty

Modified skill

skills/identity/zero-trust-assessment/SKILL.md

Issue

Fixes #1533

What was missing

The zero trust assessment could overstate overall maturity when one pillar was strong but Devices, Networks, Data, cross-cutting governance, or legacy systems remained weak. It also treated device compliance too much like a binary control instead of checking runtime enforcement depth.

What changed

• Bumped zero-trust-assessment to v1.0.1.
• Added Device Compliance Enforcement Depth evidence fields for grace periods, enforcement paths, session revocation, remediation SLA, and posture source.
• Added special handling for managed-browser BYOD, VDI/remote desktop inherited posture, and non-human workload identities.
• Added a weakest-pillar floor rule for overall maturity.
• Added a cross-pillar dependency risk matrix with concrete attack paths caused by pillar imbalance.
• Added Legacy Zero Trust Readiness fields for modern auth compatibility, segmentation pattern, accountability, monitoring depth, and migration timeline.
• Added output sections for Overall Maturity Gate, Device Enforcement Depth, Cross-Pillar Dependency Risks, and Legacy ZT Readiness.
• Added common pitfalls for averaging away weak pillars, binary device compliance, and unscored legacy systems.

Validation

• Confirmed v1.0.1 version bump.
• Confirmed weakest-pillar floor rule is present.
• Confirmed device enforcement depth gate is present.
• Confirmed cross-pillar dependency risk matrix is present.
• Confirmed legacy readiness output is present.
• Confirmed special posture models are present.
• Confirmed Markdown fence balance.

Bounty request

Requesting consideration for the SecuritySkills improver bounty if accepted/merged. Payment details can be provided privately after acceptance.