Add NIST CSF target profile measurability gates

[Desalzes]

Summary

• Updates nist-csf-assessment to require target profile gaps to be measurable, owned, time-bounded, and tied to evidence sources before they become roadmap items.
• Adds Step 5.4 target profile measurability gates covering outcome metrics, baselines, target thresholds, owners, due dates, evidence sources, and dependencies.
• Expands the output template with a Target Profile Execution Plan table and Profile Planning Gap count.
• Adds a common pitfall for aspirational target profiles that lack execution evidence.

Related issue

Closes #1631

Validation

• git diff --check
• Required frontmatter field check for skills/compliance/nist-csf-assessment/SKILL.md
• Prompt-injection pattern scan on the modified skill
• Markdown fence balance check on the modified skill

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• Prompt Injection Safety Notice section retained
• injection-hardened: true remains set in frontmatter
• allowed-tools remains scoped to minimum necessary permissions
• No prohibited patterns found by local injection-pattern scan
• index.yaml not updated because this improves an existing skill, not a new skill
• Live AI-agent execution test not run; this is a focused guidance/template improvement validated statically

Bounty note

This implements the requested target profile measurability gates from #1631 and should qualify as a focused skill improvement if accepted.