Add OAuth OIDC security review skill

[shensz2017]

Summary

Closes #153.

Adds a new oauth-oidc-security skill under skills/identity/ for OAuth 2.0 and OpenID Connect implementation review. The skill covers flow-level and trust-boundary evidence for:

• authorization request and callback binding, including exact redirect URI matching, state, nonce, PKCE S256, and one-time authorization code handling;
• ID token, JWT access token, opaque token, issuer, audience/resource, azp, token type, algorithm, and JWKS/key-selection validation;
• public/native/browser/device clients, token storage, refresh-token rotation, log/artifact leakage, and device authorization phishing boundaries;
• resource-server audience/scope/tenant/object enforcement, sender-constrained token claims, and validation cache/revocation behavior;
• federation, multi-tenant login, and account linking using issuer-scoped immutable identifiers instead of mutable email-only linking.

Fixtures

Adds 3 vulnerable and 3 benign skill-local YAML fixtures:

• oauth-oidc-callback-missing-binding.yaml
• oauth-oidc-resource-server-audience-confusion.yaml
• oauth-oidc-device-flow-token-leakage.yaml
• oauth-oidc-hardened-auth-code-pkce.yaml
• oauth-oidc-resource-server-audience-bound.yaml
• oauth-oidc-public-client-token-storage-controlled.yaml

Validation

• git diff --check
• Frontmatter required-field check for the new skill
• Marker checks for OAUTH-REDIR-01, OAUTH-PKCE-01, OIDC-JWT-01, OIDC-JWKS-01, OAUTH-AUD-01, OAUTH-LINK-01, RFC 9700, OpenID Connect Core, and the injection boundary
• Markdown fence-balance check
• ASCII and required-field checks for all 6 YAML fixtures
• index.yaml check: skill_count=46, 46 indexed skill files, 5 indexed role files, all indexed files exist
• Official reference URL checks returned HTTP 200 for RFC 6749, RFC 7636, RFC 8252, RFC 8628, RFC 8705, RFC 9449, RFC 9700, OpenID Connect Core, OpenID Connect Discovery, and OWASP ASVS
• Staged diff scan found no public payment details, private key markers, AWS key patterns, or crypto wallet addresses

Bounty request

Requesting Author Intermediate tier ($350) if accepted, matching the issue's proposed complexity: multiple languages/frameworks and nuanced OAuth/OIDC flow, token, client, resource-server, and federation detection logic.

Preferred payment method: GitHub Sponsors if available; otherwise payment details can be provided privately after maintainer acceptance.