Add zero trust decision continuity gates

[MAUROCERON]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: zero-trust-assessment
Skill path: skills/identity/zero-trust-assessment/

What Was Wrong

The skill had strong NIST SP 800-207 and CISA ZTMM pillar coverage, but it did not require reviewers to prove what happens when the policy engine, policy administrator, policy enforcement point, or trust-signal sources are unavailable or stale.

That can overstate maturity in zero trust deployments where:

• a PEP silently allows new or existing sessions when the PE/PA is unreachable;
• cached allow decisions survive user disablement, device non-compliance, or high-risk threat signals;
• MDM/EDR/IdP/threat-intel signals are stale but still satisfy dynamic policy;
• ZTNA tunnel, session token, or policy-cache TTL exceeds the risk-signal freshness window;
• break-glass access exists but lacks scope, duration, alerting, session capture, or post-use review evidence.

What This PR Fixes

Closes #1303.

• Adds a new Step 7: Policy Decision Continuity and Fail-Secure Behavior.
• Adds a decision continuity evidence table covering PE/PA/PEP dependencies, failure mode, signal freshness, cache controls, PEP independence, outage tests, and break-glass boundary evidence.
• Adds ZT-CONT-* checks for undocumented outage behavior, fail-open PEP behavior, stale trust signals, revocation propagation gaps, unbounded degraded mode, and untested decision continuity.
• Adds a decision continuity matrix to the output format.
• Adds scoring guidance that caps maturity when failure-mode evidence is missing and treats unbounded cached access after revocation or stale high-risk signals as high/critical risk.
• Adds a calibration fixture at skills/identity/zero-trust-assessment/tests/decision-continuity-edge-cases.md with vulnerable cached-allow and benign bounded-degraded scenarios.
• Adds NIST SP 800-53 Rev. 5 SA-8 / SC-24 reference for secure defaults, secure failure, and fail in known state.

Evidence

Before (skill misses this):

access_path: "admin user -> production finance app"
failure_mode:
  policy_engine_unreachable: "allow existing and new sessions"
  policy_cache_ttl: "24 hours"
signal_freshness:
  max_allowed_age: "15 minutes"
  last_device_signal_age: "9 hours"
observed_test:
  disabled_user_continued_access: true

The previous skill could record policy-engine and device-posture concepts, but did not force the reviewer to classify this as fail-open or stale-signal access.

After (now correctly handled):

The new ZT-CONT-* checks require failure mode, cache/token TTL, stale-signal action, revocation propagation, outage test result, and break-glass boundary before maturity is scored.

Test Cases Added/Updated

• Added vulnerable/benign calibration fixture: skills/identity/zero-trust-assessment/tests/decision-continuity-edge-cases.md
• Existing validation still passes / Markdown-only skill improvement

Validation

• Markdown fence balance check:
  • SKILL.md: 24 fences, balanced.
  • tests/decision-continuity-edge-cases.md: 4 fences, balanced.
• Required frontmatter fields present for SKILL.md.
• Marker checks passed for:
  • Policy Decision Continuity and Fail-Secure Behavior
  • Decision Continuity Matrix
  • ZT-CONT-01
  • ZT-CONT-10
  • SC-24 Fail in Known State
  • tests/decision-continuity-edge-cases.md
• Prompt-injection scan equivalent passed for touched files.
• Private-data scan passed; no payout email or private payment identifier appears in changed files.
• Official references returned HTTP 200:
  • NIST SP 800-207
  • NIST SP 800-53 Rev. 5 update 1
  • CISA Zero Trust Maturity Model

Sources Checked

• NIST SP 800-207 Zero Trust Architecture: https://csrc.nist.gov/publications/detail/sp/800-207/final
• NIST SP 800-53 Rev. 5 update 1: https://csrc.nist.gov/Pubs/sp/800/53/r5/upd1/Final
• CISA Zero Trust Maturity Model v2.0: https://www.cisa.gov/zero-trust-maturity-model

Duplicate Check

Checked open issues/PRs for:

• zero-trust-assessment
• device posture freshness
• coverage denominator
• PE/PA/PEP
• fail-open fail-closed
• policy engine outage
• stale signal deny by default

Existing related work covers source freshness/pillar evidence (#85), workload identity (#441), EO 14028 metadata (#609), device posture freshness/CAE (#670), and coverage denominators/exceptions (#1005). This PR is distinct because it focuses on policy-decision continuity, fail-secure/fail-open behavior, cache/token TTL, stale trust-signal action, and revocation propagation during PE/PA/PEP or signal-source outages.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, false-positive reduction, and calibration fixture
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.