Add PIR near-miss notification gates

[alejandrorivas-pixel]

Bounty type

Skill Improvement bounty

Modified skill

skills/incident-response/post-incident-review/SKILL.md

Issue

Closes #1605

What was missing

The PIR skill supported near-miss analysis, but the required metrics and output format still assumed confirmed compromise/recovery timestamps. It also did not require explicit review of response actions that inhibited recovery/evidence collection, or legal/privacy notification-clock tracking for plausible data-exposure incidents.

What changed

• Added metric-mode handling for confirmed compromise, near miss/blocked attempt, and uncertain compromise.
• Added near-miss metrics for attempt detection time, time to block, blocking control, recurrence count, and false-negative review.
• Added a response-action impact review gate for side effects, evidence impact, rollback criteria, and break-glass ownership.
• Added a legal/privacy notification-clock gate for regulated-data exposure assessment, legal/privacy engagement, notification decisions, deadlines, and status.
• Added benign and vulnerable fixtures covering the new gates.

Validation

• git diff --check
• git diff --cached --check
• Markdown fence-balance check for the touched skill directory
• ASCII check for the touched skill directory
• Required marker check for near-miss, response-action, and notification-clock coverage
• Added-line sensitive-pattern scan; findings were expected generic terms in the skill safety notice and fixture field names, with no real secrets or payment data

Payment

Payment details can be provided privately after maintainer acceptance.