Improve AWS review evidence scope handling

[DENGXUELIN]

/claim #37

Summary

Improves aws-review so AWS posture reports qualify evidence confidence before assigning organization-wide or all-region results.

Changes include:

• Adds AWS-EVID-SCOPE-01 through AWS-EVID-SCOPE-08 gates for evidence source, account/organization denominator, regional coverage, CloudTrail organization evidence, Access Analyzer policy-validation distinction, Not Evaluable reason codes, sample limitations, and exception retest tracking.
• Extends the detailed finding output with evidence source, capture identifier, scope coverage, and Not Evaluable reason fields.
• Adds vulnerable and benign fixtures for IaC-only organization-scope overclaiming versus verified organization/account/region evidence.

Why

A single Terraform module or one regional service export can look compliant while failing to prove member-account inclusion, opt-in region coverage, CloudTrail bucket/KMS/CloudWatch evidence, or IAM policy-validation evidence. The new gates keep the report scoped and auditable instead of turning partial evidence into a bare Pass.

Validation

• git diff --check origin/main...HEAD
• git merge-tree --write-tree origin/main HEAD
• Markdown fence-balance check for skills/cloud/aws-review/SKILL.md
• Marker check for AWS-EVID-SCOPE-01 through AWS-EVID-SCOPE-08
• YAML parse check for both added fixtures
• Added-line sensitive/public-contact pattern scan

Bounty Info

• I have read and agree to CONTRIBUTING.md bounty terms.
• Requested tier: Improver Moderate ($100) if accepted/merged.