Add OT containment safety gates

[yZangEren]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: containment
Skill path: skills/incident-response/containment/

Related review issue: #1643

What Was Wrong

The containment skill covered standard IT isolation, credential revocation, C2 blocking, and destructive malware response, but it did not distinguish OT/ICS assets from ordinary IT hosts. In PLC/DCS/SIS/HMI/historian environments, abrupt isolation can remove operator visibility, historian continuity, or safety monitoring. The skill needed an explicit safety/operations evidence gate before recommending disruptive OT containment actions.

What This PR Fixes

• Adds OT/ICS process-safety context collection before strategy selection.
• Adds a new OT / ICS Safety and Operations Containment step.
• Requires asset role, process state, safety interlock status, operations/control-engineering approval, manual fallback, preserve/block flows, historian/logging continuity, vendor remote-access decision, and validation owner.
• Adds OT-specific validation checks to confirm process stability, preserve-flow health, remote-access control, and telemetry continuity after containment.
• Extends the output schema with an OT/ICS Safety Gate section.
• Adds NIST SP 800-82 Rev. 3 and CISA ICS Recommended Practices references.

Evidence

Before (skill misses this / unsafe containment risk):

Compromised engineering workstation on an OT cell is isolated by shutting down
the shared switchport before confirming PLC/HMI/historian dependencies,
process state, safety interlocks, operator visibility, manual fallback,
or operations approval.

After (now correctly handled):

The skill requires an OT/ICS safety gate first: identify asset roles,
confirm process and safety state, preserve controller/HMI/historian/logging
flows, block only safe attacker paths, record operations approval, and assign
a validation owner before disruptive isolation.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing tests still pass

Added fixtures:

• tests/vulnerable/ot-controller-isolation-without-safety-gate.md
• tests/benign/ot-staged-containment-with-operations-approval.md

Validation performed locally:

• git diff --check
• rg verification for OT/ICS, NIST SP 800-82 Rev. 3, and CISA ICS references
• Markdown fence count check for SKILL.md

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Crypto; details can be provided privately after acceptance.