Improve scanner credential safety gates

[shensz2017]

Summary

Closes #1752.

Adds credential safety and lockout evidence gates to scanner-tuning so credentialed scan coverage is not treated as clean when authentication fails, local checks are skipped, scanner accounts drift, lockout thresholds are exceeded, or Vault/PAM evidence is missing.

What changed

• Bumped scanner-tuning to 1.0.1.
• Added Credential Safety and Lockout Evidence Gate after authenticated scanning configuration.
• Added credential safety evidence guidance for:
  • dedicated principals
  • least privilege
  • Vault/PAM checkout, TTL, rotation, audit, and emergency revoke evidence
  • lockout alignment across retry, concurrency, account policy, and target count
  • authenticated coverage denominators
  • abort/degrade behavior on authentication failure
  • privilege drift review
  • secret redaction in logs and exports
• Added SCAN-CRED-01 through SCAN-CRED-08 finding triggers.
• Added credential safety output states: Fully Authenticated, Partially Authenticated, Failed Authentication, Not Credentialed, and Not Evaluable.
• Added a Credential Safety Evidence table to the report template.
• Added vulnerable and benign fixtures under skills/vuln-management/scanner-tuning/tests/.

Validation

• git diff --cached --check
• Frontmatter required-field check matching .github/workflows/lint-skills.yml
• index.yaml file-existence check matching .github/workflows/validate-index.yml
• Markdown code fence balance check for changed Markdown files
• ASCII-only check for changed files
• Prompt-injection scan matching .github/workflows/injection-scan.yml
• Scanner credential marker check for SCAN-CRED-*, Credential Safety and Lockout Evidence Gate, Credential Safety Evidence, Failed Authentication, Not Evaluable, Vault/PAM, lockout alignment, authentication denominator, and privilege drift review
• Fixture marker check for unsafe credential/lockout evidence and benign verified credential safety evidence

Note: YAML parser validation was attempted, but a local YAML parser was not available (yaml Node module unavailable; Ruby and PyYAML also unavailable in this environment).

Bounty

Requesting Improver - Moderate ($100). Preferred payment method: GitHub Sponsors if accepted, otherwise private payment details can be provided after acceptance.