Add IaC variable resolution evidence gates

[Peter7896]

Summary

• Upgrades iac-security to v1.1.0 with effective input-chain evidence for Terraform defaults, tfvars, auto tfvars, CLI inputs, CI wrappers, Terraform Cloud/HCP variables, Terragrunt inputs, plan/state evidence, and source-only gaps.
• Extends tool-rules.md with input-source discovery, CLI/environment patterns, security-sensitive override patterns, review outcomes, and IAC-VAR-* finding examples.
• Adds benign and vulnerable fixtures for complete prod input evidence, HCP/TFC variable exports, missing prod var-files, secure defaults weakened by auto tfvars, committed sensitive tfvars, Terragrunt overrides, and unavailable workspace variables.

This expands coverage with fixture-backed evidence for effective environment values and Not Evaluable from Source Only decisions.

Related issue

Closes #1296

Validation

• git diff --check
• git diff origin/main..HEAD --check
• Frontmatter required-field check for iac-security/SKILL.md
• Markdown fence-balance check for iac-security/**/*.md
• JSON parse check for added fixtures
• Prompt-injection pattern scan on added diff lines
• Public identity hygiene scan on added diff lines
• Keyword coverage check for Effective Input Chain, IAC-VAR-01, IAC-VAR-07, Not Evaluable from Source Only, TF_VAR_, -var-file, *.auto.tfvars, terraform.tfvars, Terragrunt, inputs, workspace variables, prod.auto.tfvars, 0.0.0.0/0, sensitive, Pass, Fail, and Partial