Improve secrets bootstrap credential gates

[DENGXUELIN]

/claim #2064

Skill Improvement ($50-150 Bounty)

Related review issue: #2064

Summary

This improves secrets-management by adding secret-zero bootstrap evidence gates so Vault, OIDC, brokered, and dynamic credential claims are not credited when the first machine credential is paired, over-broad, persistent, or unaudited.

Changes

• Add SEC-ZERO-01 through SEC-ZERO-08 evidence gates.
• Require bootstrap exchange inventory for CI/CD agents, bots, Kubernetes workloads, AI agents, and deployment jobs.
• Require paired bootstrap material separation, bounded OIDC/workload identity claims, AppRole response wrapping and one-use/short-TTL controls, issued credential TTL/scope/revocation evidence, non-persistence checks, and audit correlation.
• Extend output with a Secret-Zero Bootstrap Review table and gate results.
• Add skill-local benign and vulnerable JSON fixtures.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Validation

• git diff --cached --check
• git diff --check origin/main...HEAD
• JSON parse check for both fixtures
• Markdown fence balance check
• marker checks for SEC-ZERO-01 through SEC-ZERO-08
• added-line realistic-token-pattern scan
• git merge-tree --write-tree origin/main HEAD matches HEAD^{tree}
• fork branch created through GitHub Git Data API; remote tree verified against local HEAD^{tree}

Payment preference

GitHub Sponsors, if accepted.