Add AI-integrated web evidence gates

[minorstep]

Summary

Closes #1465.

This updates owasp-top-10-web with evidence gates for modern AI-integrated and API-first web applications while preserving the existing OWASP Top 10:2021 structure.

What changed

• Adds an AI-integrated web evidence gate for LLM, agent, RAG, OCR, document, tool, and model output rendered into DOM, Markdown, rich-text, or privileged client sinks.
• Adds false-positive guidance for reviewed Trusted Types, browser Sanitizer API, framework sanitizer, and CSP-backed render paths.
• Adds API-first authentication evidence for passkeys/WebAuthn, OAuth/OIDC public clients, PKCE, state/nonce, audience/resource binding, DPoP, mTLS, refresh-token rotation, and replay controls.
• Adds a cloud metadata SSRF evidence gate for AWS IMDS/IMDSv2, GCP metadata header expectations, Azure IMDS, DNS rebinding, redirects, IPv6, alternate encodings, and egress controls.
• Extends the output format with an Evidence Gate field so findings capture the specific reviewed gate rather than broad category labels.

Validation

• git diff --check
• Frontmatter required-field and version parse for owasp-top-10-web v1.0.2
• Markdown fence-balance check
• Added-line ASCII check
• Marker checks for AI render, API auth, cloud metadata SSRF, Trusted Types, Sanitizer API, WebAuthn, DPoP, PKCE, IMDSv2, and Metadata-Flavor
• Live primary-source URL checks returned HTTP 200/3xx for OWASP ASVS, W3C WebAuthn, RFC 9449, W3C Trusted Types, WICG Sanitizer API, AWS IMDS, Google Cloud metadata, and Azure IMDS
• Exact pre-submit PR search for [REVIEW] owasp-top-10-web: add 2025 'AI-Integrated Web App' vectors and API-First 'A11' checks #1465 / AI-integrated web wording found no competing PR

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method can be coordinated privately after maintainer acceptance.

/claim #1465