Add payment webhook state machine review skill

[Errordog2]

Summary

Adds a new payment-webhook-state-machine-review skill for reviewing payment and billing webhook handlers against replay, out-of-order delivery, tenant/account binding, amount binding, refund/dispute abuse, subscription state drift, and reconciliation gaps.

This implements the proposed topic from #566.

What Changed

• Added skills/appsec/payment-webhook-state-machine-review/SKILL.md
• Registered the skill in index.yaml
• Updated skill_count from 45 to 46

Evidence / Coverage

The skill includes:

• provider authenticity and event provenance checks
• replay/idempotency/atomicity gates
• explicit payment/subscription transition guards
• tenant, connected-account, object, amount, and currency binding checks
• refund, chargeback, dispute, reversal, and credit-balance handling
• reconciliation and drift-detection requirements
• structured output tables for state-machine findings and replay/out-of-order/cross-tenant test scenarios
• vulnerable and benign prompt-level fixtures

Validation

• git diff --check
• frontmatter required-field check for the new skill
• index.yaml file-path existence check
• index skill_count check: declared 46, actual skills 46
• targeted rg checks for payment webhook, provider event ID, idempotency, out-of-order, refund, dispute, and reconciliation coverage
• prompt-injection keyword scan over the new skill file

Refs #566