Improve IR playbook materiality and wiper gates

[bozicovichsantiago20-oss]

/claim #1447

Summary

• Add identity-level containment for SaaS/API token exfiltration so valid-token abuse is not treated as host isolation only.
• Add SEC materiality determination evidence, output fields, and escalation path for public-company disclosure decisions.
• Add cold-shutdown wiper recovery safeguards: backup/snapshot binary scan, immutable/offline evidence, sandbox restore canary, and approval gate.
• Add deepfake/BEC classification and legal-privilege handling for SEV-1 executive communications.

Validation

• git diff --check
• Markdown fence balance check
• Marker checks for SEC materiality, identity-level containment, snapshot integrity, legal privilege, deepfake/BEC, and output fields
• Reference reachability check: NIST and CISA returned HTTP 200; SEC blocks automated validation with HTTP 403 but the official SEC release URL is retained from the existing reference set.

Preferred payment: PayPal or GitHub Sponsors after maintainer acceptance.

[bozicovichsantiago20-oss]

Follow-up validation added in commit 2855568.

What changed:

• Added Step 3.6: 2026 Scenario Validation Cases to make the new gates reviewable against concrete incident scenarios.
• Covered SaaS/API token exfiltration, cold-shutdown wiper recovery, SEC materiality review, and synthetic identity/deepfake BEC.
• Each scenario now names the required evidence and the report sections that must be populated, with Not Evaluable handling for missing evidence.

Validation:

• git diff --check
• Markdown fence count balanced
• Marker check for scenario validation, SaaS/API token exfiltration, cold-shutdown wiper, public-company materiality, synthetic identity/deepfake BEC, and Not Evaluable