Improve DAST stateful auth safety gates

[shensz2017]

Summary

Closes #2109.

Adds stateful authenticated scan safety gates to dast-config so reviewers can separate safe sequence-based active scans from unsafe authenticated scans that mutate business data, replay stale CSRF tokens, use privileged users, or lack seed/reset and cleanup evidence.

What changed

• Bumped dast-config to 1.0.1.
• Added Stateful Authenticated Scan Safety after authenticated scanning setup.
• Added a stateful flow evidence checklist covering:
  • flow inventory and scan decisions
  • sequence coverage
  • CSRF / anti-forgery token refresh
  • least-privilege test identity
  • seed/reset and cleanup proof
  • mutation budgets
  • outbound effect controls for email, SMS, payments, webhooks, and third-party integrations
• Added a decision matrix for safe active scan, sequence-only active scan, passive/manual-only, and not-in-scope flows.
• Added DAST-STATE-01 through DAST-STATE-08 finding triggers.
• Added false-positive boundaries for safe state-changing requests, over-excluding state-changing endpoints, token refresh mechanisms, and reset evidence.
• Added a stateful authenticated scan safety table to the report template.
• Added vulnerable and benign fixtures under skills/devsecops/dast-config/tests/.

Validation

• git diff --cached --check
• Frontmatter required-field check matching .github/workflows/lint-skills.yml
• index.yaml file-existence check matching .github/workflows/validate-index.yml
• Markdown code fence balance check for changed Markdown files
• ASCII-only check for changed files
• Prompt-injection scan matching .github/workflows/injection-scan.yml
• DAST stateful marker check for DAST-STATE-*, Stateful Authenticated Scan Safety, sequence-import, sequence-activeScan, CSRF token handling, seed/reset, mutation budget, outbound effects, and ZAP sequence/auth references
• Fixture marker check for vulnerable stateful scan failures and benign sequence-based scan controls

Note: YAML parser validation was attempted, but a local YAML parser was not available (yaml Node module unavailable; Ruby and PyYAML also unavailable in this environment).

References

• ZAP Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/
• ZAP sequence scanner automation support: https://www.zaproxy.org/docs/desktop/addons/sequence-scanner/automation/
• ZAP Authentication: https://www.zaproxy.org/docs/desktop/start/features/authentication/
• ZAP Authentication Methods: https://www.zaproxy.org/docs/desktop/start/features/authmethods/
• OWASP WSTG session management testing: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/README

Bounty

Requesting Improver - Moderate ($100). Preferred payment method: GitHub Sponsors if accepted, otherwise private payment details can be provided after acceptance.