Improve rbac-design policy precedence checks

[Dolpme]

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources (not blogs or AI output)
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with at least one AI coding agent (which one: Codex)
• No prohibited patterns per SECURITY.md
• index.yaml updated with new skill entry (if adding a skill; not applicable, existing skill only)

What This PR Does

Addresses #1651.

This improves skills/identity/rbac-design/SKILL.md by adding explicit policy precedence and conflict-resolution review gates for hybrid RBAC/ABAC designs. The update requires reviewers to verify:

• documented policy combining behavior
• default-deny behavior for unmatched, partial, or ambiguous PDP decisions
• high-risk deny precedence over broad role permits
• fail-closed handling for missing or stale PIP attributes
• ordering regression tests for first-match or priority-ordered policies
• break-glass obligations before deny bypass
• consistent precedence across app, gateway, PDP, and database RLS layers

It also adds RBAC-PREC-* finding IDs and extends the output template with policy conflict test evidence.

Framework References

• NIST RBAC model / ANSI INCITS 359-2012, already referenced by the skill
• NIST SP 800-162 ABAC architecture and planning considerations, already referenced by the skill

Testing

• PowerShell equivalent of lint-skills.yml frontmatter check: passed for all skills/ and roles/ SKILL.md files.
• PowerShell equivalent of validate-index.yml: all files listed by index.yaml exist.
• PowerShell equivalent of injection-scan.yml: no prompt injection patterns detected.
• git diff --check: passed; only the existing Windows line-ending warning was reported.
• Targeted issue coverage check: confirmed the edited skill includes policy precedence, combining algorithm, default deny, high-risk deny precedence, fail-closed missing attributes, first-match ordering tests, break-glass obligations, all RBAC-PREC-* IDs, and policy conflict test evidence.