Improve HIPAA transmission security evidence gates

[shensz2017]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: hipaa-review
Skill path: skills/compliance/hipaa-review/SKILL.md

What Was Wrong

The HIPAA review covered 45 CFR 164.312(e) Transmission Security but could still accept a generic "TLS enabled" assertion without requiring a path-by-path ePHI transmission inventory. That misses exception routes such as claims resubmission email, vendor portal exports, SFTP/EDI paths, support attachments, webhook callbacks, and manual/emergency transfers.

Related review issue: #2054

What This PR Fixes

• Adds a 164.312(e) transmission security evidence review that requires primary and exception path coverage.
• Requires per-path ePHI elements, source, destination, owner, external/BA recipient, encryption evidence, certificate/downgrade controls, and integrity evidence.
• Clarifies that addressable encryption/integrity specifications need documented implementation, equivalent control, or risk rationale.
• Adds an output section for transmission path, encryption, integrity, exception-route, and 164.312(e) gap reporting.
• Adds a common pitfall warning against treating a TLS checkbox as complete transmission security.

Evidence

Before (skill could miss this):

primary_api:
  protection: tls_enabled
  tls_version: not_documented
  certificate_validation: not_documented
exception_workflows:
  claims_resubmission_email:
    encryption: missing
    integrity_control: missing
    addressable_rationale: missing

After (now correctly handled):

transmission_register:
  api_exchange:
    encryption: tls_1_3
    certificate_validation: enforced
    integrity_control: signed_payload_digest
  edi_claims:
    encryption: as2_tls_1_2_or_higher
    integrity_control: edi_control_totals_and_mic
  support_portal_exports:
    encryption: portal_tls_1_3
    integrity_control: sha256_file_hash_logged

Test Cases Added/Updated

• Added vulnerable test case: tests/vulnerable/hipaa-transmission-security-missing-exception-paths.yaml
• Added benign test case: tests/benign/hipaa-transmission-security-documented-paths.yaml
• Existing tests still pass / no executable test harness exists in this repository; validated with git diff --check, git diff --cached --check, and key-field checks for the new YAML evidence files.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors