Add agent approval provenance gates

[Desalzes]

Summary

• Adds review context for tool artifact provenance and approval decision records.
• Requires permissions, HITL gates, and audit logs to bind to exact tool identity, MCP/plugin provenance, schema/manifest hashes, artifact digests, arguments, runtime destination, expiry, and replay metadata.
• Adds a dedicated output table for tool artifact and approval binding evidence.
• Documents the common pitfall of approving natural-language summaries instead of machine-verifiable executable facts.

Related issue

Closes #1595

Validation

• git diff --check
• Required SKILL.md frontmatter field check
• Injection-pattern scan for modified files
• Markdown fence balance check

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• Prompt Injection Safety Notice retained
• injection-hardened: true remains set in frontmatter
• allowed-tools remains scoped to minimum necessary permissions
• No prohibited patterns found by local injection-pattern scan
• index.yaml not updated because this improves an existing skill, not a new skill
• Live AI-agent execution test not run; this is a focused defensive review-guidance improvement validated statically

Bounty note

This is an improver submission for the agent-security review skill. The change makes the skill directly test the approval/provenance gap described in #1595 while staying within the existing defensive review scope and allowed tools.