Add Azure diagnostic pipeline fixtures

[DENGXUELIN]

/claim #1624

Summary

• Adds Azure diagnostic pipeline integrity gates for coverage denominator, required categories/category groups, destination mapping, retention, destination hardening, sample delivery, cross-region/subscription coverage, and exception governance.
• Expands the CIS Section 5 checklist with concrete diagnostic category, destination, retention, and sample-delivery review guidance.
• Adds vulnerable and benign calibration fixtures for a partial diagnostic false pass versus a complete hardened diagnostic pipeline.

Why this improves the existing skill

A diagnostic setting can exist while critical Azure resources lack diagnostics, categories are partial, destinations are weakly retained or publicly accessible, and no sample log delivery has been observed. This patch makes those cases explicit and adds fixtures so reviewers can distinguish configuration presence from an actually usable diagnostic pipeline.

Validation

• git diff --cached --check
• git diff --check origin/main...HEAD
• git merge-tree --write-tree origin/main HEAD
• Markdown fence balance check
• Added-line ASCII check
• Marker check for AZ-DIAG-01 through AZ-DIAG-08, Diagnostic Pipeline Evidence, and version: "1.0.1"
• Added-line sensitive/public-contact pattern scan

Bounty request: Improver Moderate ($100) if accepted/merged.