docs: add zero trust continuity gates

[catcherintheroad-hub]

Summary

Implements the zero-trust fail-secure continuity coverage gap described in #1303.

What changed

• Adds a Policy Decision Continuity and Fail-Secure Behavior review step to zero-trust-assessment.
• Requires PE/PA/PEP dependency inventory for each critical access path.
• Adds trust-signal freshness, cache/token/tunnel TTL, stale-data action, outage behavior, and revocation propagation evidence.
• Adds bounded break-glass criteria so emergency access is assessed separately from silent fail-open behavior.
• Adds ZT-CONT-* finding codes for missing failure-mode evidence, fail-open PEP behavior, stale trust signals, overlong TTLs, untested revocation, weak break-glass, and maturity overclaiming.
• Updates severity and output guidance so missing continuity evidence is Not Evaluable instead of being over-scored as Advanced or Optimal.
• Adds NIST SP 800-53 Rev. 5 Update 1 SA-8 / SC-24 as a supporting secure-failure reference.

Why

The existing skill had strong NIST SP 800-207 and CISA ZTMM pillar coverage, but it could score a zero-trust architecture from component presence without proving how access behaves when the decision plane, enforcement point, or trust-signal sources are degraded. This change makes fail-secure behavior, stale-signal handling, revocation propagation, and bounded emergency access first-class evidence.

Validation

• git diff --check
• Markdown code fence balance check
• Required marker checks for Policy Decision Continuity and Fail-Secure Behavior, Policy Decision Continuity Matrix, ZT-CONT-01, ZT-CONT-08, Trust-signal sources, Revocation propagation, Break-glass boundary, Not Evaluable, and version 1.1.0
• Frontmatter required-field check
• Prompt-injection term scan on added diff lines
• Reference URL reachability check for NIST SP 800-53 Rev. 5 Update 1, NIST SP 800-207, and CISA ZTMM

Bounty

This is intended as a Skill Improvement / Improver contribution for #1303. Payment details can be provided privately after maintainer acceptance.

Closes #1303

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9445aa236f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Include Data in continuity maturity cap

When the critical path is for regulated data or sensitive downloads (explicitly in scope in the new procedure), this cap excludes the Data pillar, so an assessment can still score Data as Advanced/Optimal even though its outage behavior, TTLs, or revocation propagation are missing and should be Not Evaluable. Please include Data in the affected pillars or add equivalent Data-specific scoring guidance so data-access continuity gaps cannot be over-scored.

Useful? React with 👍 / 👎.

[catcherintheroad-hub]

Closing this to avoid duplicate review noise. PR #1304 was opened first and covers the #1303 decision-continuity scope more completely, including calibration fixtures. I will not compete on this issue.