docs: add IaC plan state provenance gates

[catcherintheroad-hub]

Summary

Adds plan, apply, state, and provenance evidence gates to iac-security so IaC review covers the effective deployment path, not only source scanning.

Changes

• Added IAC-PLAN-01 through IAC-PLAN-04, IAC-STATE-01 through IAC-STATE-02, and IAC-PROV-01 through IAC-PROV-02.
• Added evidence requirements for plan artifacts, apply records, state backends, drift reports, provenance, and break-glass paths.
• Added decision guidance for local plans, committed state, -auto-approve, drift, and mutable module refs.
• Extended the output template with Plan / Apply / State Evidence.
• Expanded SLSA mapping with verification of plan traceability.
• Added pitfalls for reviewing source without plans, assuming remote state is secure, and ignoring drift after approval.
• Added official Terraform state security and dependency lock file references.
• Added edge-case fixtures for reviewed/applied plan mismatch, local state with secrets, and module refs pinned to mutable branches.

Validation

• git diff --check
• Added-line non-ASCII scan
• Added-line prompt-injection marker scan
• Markdown code fence balance check for touched files
• Reference URL checks returned HTTP 200:
  • Terraform State Security
  • Terraform Dependency Lock File

Related issue

Created from review issue: #1361