Add access review certifier independence gates

[bozicovichsantiago20-oss]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: access-review
Skill path: skills/identity/access-review/

What Was Wrong

Issue #1159 shows that the skill treated certification completeness mostly as a decision/evidence problem. It did not require proof that the certifier was independent, authorized, in-scope for delegation, or unable to grant/revoke the same access being certified.

What This PR Fixes

• Adds AR-CERT gates for self-review, conflicted certifiers, out-of-scope delegation, and provisional completion when certifier evidence is missing.
• Adds required evidence fields for reviewer of record, actual certifier, subject, entitlement, certifier relationship, delegation authority, validity window, scope, and exceptions.
• Adds eligibility decision logic for self-review, certifier SoD conflicts, scoped delegation, and approved time-bounded delegation.
• Adds AR-SOD-08 for certifiers who also have provisioning/admin authority over the reviewed entitlement.
• Extends audit evidence requirements, severity guidance, report metrics, pitfalls, and version history.
• Adds vulnerable and benign fixtures for privileged self-review, out-of-scope delegation, and approved time-bounded delegation.

Evidence

Before (skill misses this / false positive on this):

subject_user_id: alice@example.com
actual_certifier_user_id: alice@example.com
entitlement_id: iam-admin
decision: approve

A campaign could look complete even though a privileged user approved their own access.

actual_certifier_user_id: platform-team-lead@example.com
delegation_scope:
  systems: [github-enterprise]
actual_decision:
  system: production-aws
  entitlement: iam-admin

A delegated reviewer could approve outside the approved system and privilege scope.

After (now correctly handled):

AR-CERT-09 flags privileged self-review.
AR-CERT-10 flags certifiers with grant/revoke/modify authority over the reviewed entitlement.
AR-CERT-11 validates delegation against system, environment, entitlement class, privilege level, population, and validity window.
Approved, scoped, time-bounded delegation is treated as acceptable instead of automatically deficient.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing tests still pass / not applicable: git diff --cached --check; fixture files reviewed for simple YAML structure and expected markers.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal

Addresses #1159.