docs: add SOC 2 evidence sampling gates

[catcherintheroad-hub]

Created from review issue: #1403

Summary

• Add SOC 2 Type II evidence quality gates for audit-period coverage, sample sufficiency, system boundary mapping, evidence freshness, and exception handling
• Add scoring caps so stale, point-in-time, partial-period, or ownerless evidence cannot produce inflated readiness scores
• Add edge-case fixtures for stale access review evidence, partial-period change samples, unresolved vulnerability exceptions, and complete Type II evidence records

Validation

• git diff --check
• Markdown fence balance and ASCII check for touched files
• Reference URL checks for AICPA Trust Services Criteria PDF, AICPA SOC suite, AICPA SOC 2 overview, and NIST Cybersecurity Framework

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5b195b2edf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid capping non-sampled controls for missing sample fields

This cap is applied to all evidence, but many SOC 2 artifacts in the table below are policies, configs, full-population reports, or other non-sampled evidence where population/sample size are legitimately N/A. In those cases the skill would force an otherwise complete Type II control down to 2 solely because sampling metadata is absent, even though the new checklist itself marks population and sample size as required only for sampled controls. Please scope this cap to sampled operating evidence, or allow explicit N/A/full-population evidence to remain eligible for higher scores.

Useful? React with 👍 / 👎.