Add SCIM provisioning lifecycle security skill

[YfengJ]

/claim #2421

Summary

• add a dedicated scim-provisioning-deprovisioning-security skill for SCIM, directory-sync, HRIS/IdP lifecycle joins, SaaS provisioning, and downstream authorization flows
• cover authoritative identity and tenant binding, safe defaults, update semantics, deprovisioning completeness, replay/idempotency/conflict handling, and audit/reconciliation evidence
• add vulnerable and benign fixtures for stale SCIM entitlements after disable versus a safe lifecycle sync
• update index.yaml and quote the existing ISO framework values so the index parses cleanly

Validation

• RED check before implementation: confirmed the skill file and index entry were missing
• ruby -ryaml -e 'idx = YAML.load_file("index.yaml"); files = idx.fetch("skills").map { |s| s.fetch("file") }; missing = files.reject { |p| File.file?(p) }; abort "missing files:\n#{missing.join("\n")}" unless missing.empty?; count = idx.fetch("meta").fetch("skill_count"); abort "skill_count #{count} != #{files.size}" unless count == files.size; puts "index ok: #{files.size} skills"'
• ruby -e 'Dir["skills/**/*.md"].each { |f| n = File.read(f).scan(/^```/).size; abort "#{f}: odd fenced code count #{n}" if n.odd? }; puts "markdown fences ok"'
• find tests -name '*.json' -print0 | xargs -0 -n1 jq empty && echo 'json fixtures ok'
• git diff --cached --check

Requested bounty tier: Intermediate ($350). Payment details can be provided privately after maintainer acceptance.