Improve IAM cloud privilege escalation coverage

[DENGXUELIN]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: iam-review
Skill path: skills/identity/iam-review/

What Was Wrong

iam-review covered least privilege, stale accounts, MFA, JIT, and service account hygiene, but it did not require reviewers to test cloud-specific privilege escalation paths. A principal can look limited in a broad IAM review while still being able to escalate through role passing, service account impersonation, policy mutation, app credential control, or workload identity attachment.

What This PR Fixes

This PR adds a cloud privilege escalation evidence gate to iam-review:

• AWS checks for iam:PassRole, runtime workload launch/update paths, IAM policy self-management, STS role assumption, trust conditions, SCPs, and permissions boundaries.
• Azure / Entra ID checks for role assignment/custom role administration, app registration and service principal credential control, admin consent, federated credentials, and managed identity attachment.
• GCP checks for service account impersonation, token creation/signing permissions, IAM policy mutation, custom role updates, and privileged workload launch paths.
• Report output now includes a Cloud Privilege Escalation Matrix plus finding fields for the escalation primitive, target identity/resource, required conditions, observed result, and guardrail status.
• Adds vulnerable and benign AWS PassRole fixtures to demonstrate the difference between exploitable role passing and guarded role passing.

Closes #1027.

Evidence

Before (skill misses this):

{
  Action: [iam:PassRole, lambda:CreateFunction],
  Resource: *
}

The prior skill could flag this as broad access, but it did not force the reviewer to connect it to an administrative runtime role that can be passed to Lambda.

After (now correctly handled):
The updated skill requires reviewers to document the principal, escalation primitive, target role/workload, trust policy, iam:PassedToService conditions, SCPs, permissions boundaries, observed result, and guardrail status.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing tests still pass

Validation performed:

• git diff --check
• frontmatter required-field check
• Markdown fence balance check
• prompt-injection scan equivalent
• content assertions for the new cloud privilege escalation markers
• JSON fixture parse check

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal