Add OWASP log forging fixtures

[DENGXUELIN]

/claim #1647

Summary

• Add an A09 log-forging and audit-context evidence gate to owasp-top-10-web.
• Require checks for attacker-controlled log sources, CR/LF and control-character handling, structured-log reserved-field protection, audit context completeness, sensitive-data redaction, production reachability, downstream parser behavior, and monitoring outcome.
• Add vulnerable and benign fixtures for CRLF plus reserved-field log forging versus structured logging that protects trusted audit fields and preserves investigation context.

Why this fixes the review gap

The previous A09 guidance mentioned log injection, but it did not distinguish fixed structured logs from exploitable log forging or require evidence that untrusted JSON cannot overwrite reserved audit fields. This change adds explicit pass/fail criteria and fixtures for both sides of that boundary.

Validation

• git diff --cached --check
• git diff --check origin/main...HEAD
• Markdown fence-balance check for changed files
• Added-line ASCII check
• Marker check for LOG-FORGE-01 through LOG-FORGE-08
• Added-line sensitive-pattern scan
• git merge-tree --write-tree origin/main HEAD

Bounty

• Review issue: [REVIEW] owasp-top-10-web: add log forging and structured-log evidence gates #1647
• Requested tier: Improver Moderate / USD 100 if accepted