feat(iso27001-gap): add cryptographic asset inventory mapping gates

[zeroknowledge0x]

Summary

Adds structured cryptographic asset inventory mapping gates to the ISO 27001 gap analysis skill, addressing the gaps identified in #2705.

Changes

New: Cryptographic Asset Inventory Mapping Gates (A.8.24)

Added seven-field inventory framework:

Field	Purpose
Asset Type	Category of cryptographic asset (TLS, signing, encryption, HMAC, KMS)
Owner	Named individual/role responsible for lifecycle management
Algorithm	Cryptographic algorithm and key size
Storage Location	Where the key/material is stored
Rotation Date	Last/next rotation schedule
Data Scope	What data/systems the key protects
Exception Status	Documented exceptions for deprecated/weak algorithms

False Positive Guidance

Added explicit guidance that central KMS authority is valid when:

• Central KMS maintains authoritative inventory
• Service keys are tracked with owner, rotation, and algorithm fields
• Service references central inventory by key ID or alias

Missed Variant Detection

Added detection patterns for:

• "TLS certificates are inventoried, but application signing keys and webhook HMAC secrets are omitted"
• "Deprecated algorithm use is known in code, but the asset inventory lacks owner, rotation date, or migration exception"
• "Multiple services reference the same key alias but no single owner is accountable"

Edge Case Handling

Added validity criteria for:

• BYOK keys (customer-managed)
• Cloud-managed keys
• Short-lived workload certificates
• Offline backup keys
• Third-party signing keys

Remediation Quality Checklist

Added seven-item checklist for cryptographic inventory improvement recommendations.

Testing

• Verified SKILL.md syntax and structure
• Confirmed all seven inventory fields are documented
• Validated edge case tables render correctly
• Checked false positive guidance alignment with review feedback

Related Issues

Closes #2705

Checklist

• Changes are scoped to the reviewed skill
• False positive analysis addressed
• Coverage gaps filled with detection patterns
• Edge cases documented
• Remediation quality improved with structured checklist
• No new security issues introduced
• No functionality broken

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).