Add PAM automation identity evidence gates

[BryanGM12]

/claim #954

Summary

• Add Step 2.5: PAM Automation Identity and API Token Evidence to skills/identity/privileged-access/SKILL.md.
• Add a required evidence table for PAM/vault automation identities covering bootstrap method, secret-zero handling, permissions, scope boundaries, token controls, audit correlation, revocation evidence, and confidence.
• Add PAM-AUTO-* finding IDs for broad API-token scope, static secret-zero bootstrap, missing TTL/use-count controls, missing audit correlation, connector policy/audit control, and incomplete child-token/lease/session revocation.
• Add benign and vulnerable examples for OIDC-to-Vault, wrapped AppRole SecretID, and long-lived broad PAM API tokens in CI.
• Add test fixtures for a bounded OIDC vault broker and a vulnerable broad PAM API token.

Validation

• git diff --cached --check
• Markdown code-fence counts are even for the skill and both fixtures.
• Required markers present: PAM-AUTO-01, PAM-AUTO-02, PAM-AUTO-03, PAM-AUTO-05, PAM-AUTO-06, Not Evaluable, OIDC/Vault and AppRole examples.
• Prompt-injection scan found only the existing defensive warning text in the skill.
• Added source URL checks returned HTTP 200 for HashiCorp AppRole pattern, HashiCorp AppRole tutorial, HashiCorp token concepts, CyberArk API docs, Delinea API docs, and NIST SP 800-53A Rev. 5.