Add ReBAC and continuous verification gates

[bozicovichsantiago20-oss]

Summary

• Adds workload/service account handling so RBAC role-to-user ratio checks focus on human users and do not flag service-specific workload roles as role explosion.
• Adds ReBAC relationship evidence: tuple inventory, schema, traversal bounds, lifecycle cleanup, caveats, cross-tenant guards, decision logging, and fixture evidence.
• Adds Zero Trust continuous-verification gates for PDP/PEP evaluation frequency, cache TTL, invalidation triggers, fail-closed behavior, and policy decision logs.
• Adds break-glass/JIT design checks so emergency access is time-bound, scoped, logged, alerted, and reviewed instead of permanent wildcard access.
• Adds Authorization-as-Code remediation guidance and NIST SP 800-207/ReBAC references.
• Adds vulnerable and benign fixtures for ReBAC tuple sprawl, login-only authorization, permanent break-glass admin, bounded relationship tuples, and continuous-verification break-glass design.

Issue

Closes #1110

Bounty alignment

Skill improvement for skills/identity/rbac-design. Target tier: Improver Moderate ($100) if accepted by maintainers.

Validation

• git diff --cached --check
• Required marker checks for NIST SP 800-207, ReBAC/ZTA sections, RBAC-REB/RBAC-ZTA controls, Authorization-as-Code, and version history.
• Markdown fence balance check.
• Fixture presence check for all new vulnerable/benign cases.
• External reference link check; all returned HTTP 200.
• Prompt-injection phrase scan only matched the existing defensive safety notice.