Add API media-type parser evidence gates

[Errordog2]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: api-security
Skill path: skills/appsec/api-security/

What Was Wrong

Issue #2281 notes that the current API security skill can over-trust the documented JSON path. An endpoint may have schema validation, authorization, and business-rule checks for application/json, while the runtime also accepts text/plain, form bodies, multipart metadata, raw webhook bodies, XML, vendor media types, charset variants, or alternate Accept response formats through parser paths that do not enforce equivalent controls.

That creates false assurance and missed findings for API3/API8/API9/API10 cases:

• request body parser fallbacks can bypass schema validation or mass-assignment defenses;
• multipart metadata can avoid the JSON validation path;
• raw webhook parsers can verify signatures but skip structured validation or replay controls;
• CSV/XML/HTML/export responses can expose fields that are filtered in JSON.

What This PR Fixes

• Bumps api-security to 1.0.1.
• Adds request and response representation inventory to API scoping.
• Adds a dedicated Media-Type, Parser, and Representation Equivalence Gate before OWASP API Top 10 evaluation.
• Requires evidence for request media-type allowlists, parser ordering, schema/property-authorization parity, multipart metadata, webhook raw-body handling, response negotiation, negative tests, and spec-to-runtime drift.
• Adds API-PARSER finding triggers for undocumented accepted media types, multipart metadata gaps, raw-body trust gaps, alternate response leaks, OpenAPI/runtime drift, and fail-open unsupported media types.
• Adds false-positive guardrails for legitimate vendor media types, raw webhook signatures, multipart uploads, and Not Evaluable parser behavior.
• Extends the review report with a Media-Type and Representation Evidence table and per-finding parser/representation evidence.
• Adds common pitfalls and a version history entry.

Evidence

Before: Reviewers could mark an endpoint safe after checking the JSON/OpenAPI path, even if alternate body parsers or response formats lacked equivalent validation and authorization.

After: Reviewers must prove unsupported media types are rejected or that each accepted parser/representation enforces equivalent validation, authorization, field filtering, and error handling before passing the endpoint.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing checks still pass

This existing skill stores examples in Markdown guidance files; the change keeps scope to SKILL.md.

Validation

• git diff --check
• Frontmatter required-field check matching .github/workflows/lint-skills.yml
• index.yaml file-existence check matching .github/workflows/validate-index.yml
• Markdown code fence balance check for changed file
• Workflow-equivalent prompt-injection scan over skills/ and roles/
• Marker check for version 1.0.1, Media-Type, Parser, and Representation Equivalence Gate, API-PARSER triggers, multipart metadata, raw-body handling, spec-to-runtime drift, Not Evaluable parser behavior, response-negotiation, and report output coverage

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Payment details can be provided privately after maintainer acceptance

Fixes #2281