Add SOC2 subservice CUEC evidence gates

[jddark62]

Summary

• add a SOC 2 subservice organization and CUEC/CSOC scope gate to soc2-gap
• require critical providers to be classified as vendor, carved-out subservice organization, or included subservice organization before system-description readiness is marked complete
• add SOC2-SUBSERVICE-01 through SOC2-SUBSERVICE-07 checks for reporting method, report-period/bridge-letter coverage, CUEC/CSOC extraction, internal control mapping, report exceptions, nested subservice providers, and NDA-limited reports
• update CC9.2 criteria evidence so vendor SOC 2 collection does not score as ready without complementary-control mapping
• add six YAML fixtures covering unmapped vendor reports, extracted-but-unmapped CUECs, bridge-letter coverage, NDA-limited reports, nested subservice gaps, and a complete passing package

Validation

• git diff --check
• parsed all 6 YAML fixture blocks with Ruby YAML.safe_load
• verified Markdown fence balance across touched Markdown files
• marker scan confirmed SOC2-SUBSERVICE-*, CUEC/CSOC worksheet, bridge-letter evidence, and version 1.0.1
• privacy scan found no local user/path/email strings in changed files

Closes #1124

Bounty target: Improver Moderate if accepted.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method can be coordinated privately after maintainer acceptance.

/claim #1124