Add PCI payment-page script evidence gates

[alejandrorivas-pixel]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: pci-dss-review
Skill path: skills/compliance/pci-dss-review/

Closes #1272.

What Was Wrong

The skill listed PCI DSS Requirements 6.4.3 and 11.6.1, but did not make payment-page script management and browser-side tamper detection assessor-verifiable. That created two problems:

• Real e-skimming control gaps could be missed when evidence was limited to static source review, generic CSP, or server-side file integrity monitoring.
• Scoped TPSP/3DS provider-owned iframe flows could be over-scored if every nested script was treated as merchant-managed without checking responsibility evidence.

What This PR Fixes

This PR adds a dedicated payment-page evidence workflow for PCI DSS v4.0.1 review:

• updates the skill context and references to PCI DSS v4.0.1 while preserving valid v4 requirement IDs
• adds 6.4.3 evidence gates for payment-page URL inventory, browser-observed script inventory, business justification, authorization, integrity assurance, and TPSP/3DS responsibility evidence
• adds 11.6.1 evidence gates for browser-received page snapshots, HTTP header monitoring, alerting, cadence, and scope linkage
• adds false-positive handling for provider-owned 3DS/payment iframe flows
• adds payment-page severity guidance and a report evidence table
• adds vulnerable and benign fixtures for merchant-managed scripts, provider-owned 3DS iframe evidence, server-FIM-only monitoring, and browser-observed tamper monitoring

Evidence

Before (skill misses this / false positive on this):

<script src="https://cdn.analytics.example/tag.js"></script>
<script src="https://cdn.chat-widget.example/widget.js"></script>
<script src="https://checkout.example-payments.test/sdk.js"></script>

A reviewer could see this on a payment page and only know that Requirement 6.4.3 exists, without structured checks for script owner, written justification, authorization, and integrity evidence.

After (now correctly handled):
The skill now requires payment-page URL inventory, browser-observed script inventory, written justification, authorization method, integrity assurance, and TPSP/3DS responsibility evidence before marking the requirement in place.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing tests still pass

New fixtures:

• skills/compliance/pci-dss-review/tests/vulnerable/payment-page-scripts-no-inventory.html
• skills/compliance/pci-dss-review/tests/vulnerable/server-fim-only-payment-page-monitoring.md
• skills/compliance/pci-dss-review/tests/benign/provider-owned-3ds-iframe-evidence.html
• skills/compliance/pci-dss-review/tests/benign/browser-tamper-monitoring-evidence.md

Validation

• git diff --check
• git diff --cached --check
• Markdown fence balance check for skills/compliance/pci-dss-review/SKILL.md
• Content marker checks for PCI v4.0.1 and payment-page evidence sections
• Added-line ASCII check
• Fixture marker checks
• Prompt-injection term scan on new fixtures
• Reference URL reachability via curl for PCI SSC Document Library, PCI DSS v4.0.1 publication, FAQ 1581, and PCI SSC e-commerce guidance blog

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.