Add DAST auth session evidence fixtures

[DENGXUELIN]

/claim #1313

What changed

Adds fixture-backed authenticated session freshness and state evidence gates to dast-config.

• Adds DAST-AUTH-EVID-01 through DAST-AUTH-EVID-08 for session source, phase freshness, authenticated coverage counts, CSRF/state token refresh, logout/destructive route controls, role/tenant isolation, WAF/rate-limit constraints, and state reset/cleanup.
• Adds authenticated-session severity guidance and an Authenticated Session Evidence output table.
• Adds common pitfalls for treating authentication configured as authenticated coverage and ignoring CSRF/state cleanup.
• Adds benign/vulnerable JSON fixtures for fresh authenticated CI login evidence versus stale copied-cookie/static-CSRF scans with unknown coverage and WAF blocking.

Why this PR

Existing PR #1315 is a useful Markdown edge-case implementation. This PR is intentionally structured-fixture-backed so future checks can distinguish authenticated coverage evidence from a scan that only appeared authenticated at startup.

Validation

• git diff --check origin/main...HEAD
• git merge-tree --write-tree origin/main HEAD
• JSON parse check for both added fixtures
• Markdown fence balance for dast-config/SKILL.md
• Marker checks for version: "1.0.1", Authenticated Session Freshness and State Evidence, DAST-AUTH-EVID-01 through DAST-AUTH-EVID-08, Authenticated Session Evidence, Treating authentication configured as authenticated coverage, and Ignoring CSRF and scan state cleanup
• Fixture marker checks for expected_skill_decision, dast_auth_evidence, phase_freshness, csrf_state_controls, role_tenant_coverage, and waf_rate_limit
• Added-line ASCII scan
• Added-line sensitive/public-contact pattern scan
• Remote compare verification before PR creation

Bounty tier

Requesting Improver Moderate ($100) if accepted. This adds structured local fixtures in addition to the authenticated session freshness and CSRF state evidence guidance requested by the issue.