Add secrets bootstrap recovery gates

[alejandrorivas-pixel]

Skill Improvement ($50-150 Bounty)

Closes #1577

Skill Modified

Skill name: secrets-management
Skill path: skills/devsecops/secrets-management/

What Was Wrong

The skill covered secret detection, rotation, vault integration, and agent credential handling, but did not explicitly require review evidence for the first credential used to reach the secrets manager. That can miss realistic secret-zero failures: file-mounted bootstrap tokens, unconstrained workload identity, broad Vault policies, missing revocation after failed bootstrap, and break-glass credentials stored in runbooks without owner/test/rotation evidence.

What This PR Fixes

This PR adds bootstrap and recovery gates for:

• Secret-zero source inventory and workload identity constraints.
• Long-lived bootstrap tokens, image-baked bootstrap material, and broad secret path policies.
• Bootstrap TTL, reuse, failed-attempt revocation, and audit logging evidence.
• Break-glass custody, dual-control/approval, recovery drill, and post-use rotation evidence.

It also expands discovery patterns, severity guidance, output reporting, common pitfalls, and references for Vault AppRole/JWT auth, GitHub OIDC hardening, and Kubernetes service account token handling.

Evidence

Before (skill misses this):

VAULT_TOKEN=$(cat /var/run/bootstrap-token)
vault kv get -format=json secret/prod/*

vault_bootstrap:
  auth_method: static_token
  token_ttl: 30d
  policy: prod-read-all
  revocation_on_failed_bootstrap: false
  audit_log_sink: disabled

break_glass:
  storage: runbook.pdf
  owner: ""
  last_tested: ""
  rotation_after_use: ""

After (now correctly handled):

github_actions_oidc:
  issuer: https://token.actions.githubusercontent.com
  audience: vault://prod-secrets
  subject: repo:example/payments:environment:production
  branch: refs/heads/main

vault_jwt_role:
  token_ttl: 15m
  token_max_ttl: 20m
  bound_claims:
    repository: example/payments
    ref: refs/heads/main
    environment: production
  policies:
    - payments-prod-read

Test Cases Added/Updated

• Added vulnerable test case: skills/devsecops/secrets-management/tests/vulnerable/long-lived-bootstrap-token.md
• Added benign test case: skills/devsecops/secrets-management/tests/benign/oidc-bootstrap-recovery-evidence.md
• Existing checks still pass locally for changed files

Bounty Tier

• Minor ($50) — Doc update, small logic tweak, typo fix
• Moderate ($100) — New edge case coverage, FP reduction with evidence
• Substantial ($150) — Rewritten detection logic, major coverage expansion

Validation

• git diff --check
• git diff --cached --check
• rg -n "Step 5\.5|secret-zero|break-glass|Bootstrap and Recovery|OIDC|revocation|VAULT_TOKEN" skills/devsecops/secrets-management
• Injection-pattern scan over skills/devsecops/secrets-management returned no matches for the repository's prohibited phrases.

Bounty Info

Bounty target: skill improvement, moderate tier. Payment details can be provided privately after maintainer acceptance.