Add ephemeral cloud workload forensics gates

[ASUKAAAAA1204]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: forensics-checklist
Skill path: skills/incident-response/forensics-checklist/

What Was Wrong

The skill covered volatile host evidence, disk imaging, cloud snapshots, and provider audit logs, but it did not give concrete gates for ephemeral cloud workloads. That can make an investigation look complete after collecting a disk snapshot and audit logs while the actual workload state is already gone or still mutable.

Concrete gaps from #1395:

• Kubernetes pods can be evicted before pod specs, events, current/previous logs, container statuses, service account, node, mounted volumes, or owner references are preserved.
• Serverless aliases and container tags are mutable unless the report records immutable function versions, package hashes, image digests, runtime/layers, trigger mappings, and deployment history.
• Managed container services such as ECS, Fargate, Cloud Run, AKS, EKS, and GKE often have no traditional disk image to collect.

What This PR Fixes

Refs #1395.

This PR updates SKILL.md to add:

• A new 6a: Ephemeral Cloud Workload Evidence gate in Cloud Forensics.
• Kubernetes and managed-container evidence requirements for pod/task specs, events, logs, previous logs, statuses, image digests, service accounts, volumes, owner references, network policy, and audit events.
• Example Kubernetes capture commands for pod YAML, describe output, current/previous logs, namespace events, workload owners, and network policies.
• Serverless evidence requirements for immutable function versions/revisions, alias mapping, package hash, runtime/layers, environment and secret references, roles/service accounts, triggers, invocation logs, provider audit logs, and deployment history.
• Explicit findings when reports rely on mutable tags/aliases or snapshots alone.
• A dedicated Ephemeral Cloud Workload Evidence table in the output format.
• A common pitfall warning about treating mutable ephemeral workloads as preserved evidence.
• Kubernetes and AWS Lambda versioning references.

Evidence

Before (skill misses this / false positive on this):

cloud:
  ebs_snapshot: captured
  audit_logs: exported
workload:
  kubernetes_pod: evicted
  lambda_function: prod_alias
  container_image: app:latest

The prior checklist could treat the cloud snapshot and audit export as complete even though the exact pod/function/container state was not preserved.

After (now correctly handled):

The report must record workload-level evidence: pod/task/function specs, events,
current and previous logs, container statuses, immutable image digest or function
version/package hash, service account/role, mounted volumes, trigger mappings,
deployment history, and provider control-plane events.

If a report only has `latest`, `prod`, a disk snapshot, or provider audit logs,
the skill now tells the reviewer to raise an explicit evidence gap.

Test Cases Added/Updated

• Added inline vulnerable/benign evidence requirements and explicit finding conditions in SKILL.md.
• Existing documentation structure still validates.
• Did not add a separate tests/ directory because this existing skill currently consists of a single SKILL.md file.

Validation

• git diff --check -> no whitespace errors; Windows Git emitted only the existing LF/CRLF warning.
• Marker grep confirmed Ephemeral Cloud Workload Evidence, Kubernetes, previous container logs, immutable image digests, Serverless workloads, Cloud Run, Fargate, and Lambda Function Versions are present.
• Markdown fence balance check -> fence_count=36 and even.
• Frontmatter smoke check confirmed name, version, allowed-tools, and injection-hardened remain present.
• Reference GET checks returned HTTP 200 for Kubernetes Pods, AWS Lambda function versions, NIST SP 800-86, and RFC 3227.
• git diff --stat -> one file changed, 43 insertions.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Crypto; details can be provided privately after maintainer acceptance.