Improve GCP review evidence scope handling

[DENGXUELIN]

/claim #41

Summary

Improves gcp-review so posture reports qualify organization, folder, project, resource, policy, SCC, and subnet scope before assigning broad results.

Changes include:

• Adds GCP-EVID-SCOPE-01 through GCP-EVID-SCOPE-08 gates for evidence source, denominator tracking, IAM allow/deny/PAB distinction, Organization Policy inheritance, SCC tier/scope, VPC Flow Logs subnet coverage, Not Evaluable reason codes, and exception/retest handling.
• Extends detailed findings with evidence source, capture identifier, scope coverage, and Not Evaluable reason fields.
• Adds vulnerable and benign fixtures for project-only/SCC Standard overclaiming versus verified organization/project/policy/subnet evidence.

Why

A project-level Terraform file, sampled Cloud Asset Inventory export, or project SCC finding can be useful evidence, but it does not prove organization-wide compliance by itself. The new gates keep GCP CIS findings scoped to the evidence actually reviewed.

Validation

• git diff --check origin/main...HEAD
• git merge-tree --write-tree origin/main HEAD
• Markdown fence-balance check for skills/cloud/gcp-review/SKILL.md
• Marker check for GCP-EVID-SCOPE-01 through GCP-EVID-SCOPE-08
• YAML parse check for both added fixtures
• Added-line sensitive/public-contact pattern scan

Bounty Info

• I have read and agree to CONTRIBUTING.md bounty terms.
• Requested tier: Improver Moderate ($100) if accepted/merged.