Add IR materiality wiper deepfake evidence gates

[jddark62]

Summary

Closes #1447.

This updates ir-playbook with evidence gates for SEC materiality handling, cloud/SaaS token containment, wiper backup-integrity recovery, synthetic social engineering, and legal privilege handling for SEV-1 / counsel-led incidents.

What Changed

• Add IR-MAT-01 through IR-MAT-07 checks for missing materiality evidence, missing SEC Item 1.05 clock ownership/status, missing privilege handling, network-only cloud/SaaS exfiltration containment, unsafe wiper restore paths, missed deepfake/BEC indicators, and missing Not Evaluable states.
• Add a materiality checklist covering functional, financial, legal/regulatory, customer/reputational, and governance decision evidence.
• Extend containment guidance so valid cloud/SaaS sessions, OAuth grants, API keys, service-account credentials, and role sessions are contained alongside network isolation.
• Add a wiper cold-shutdown / recovery integrity gate for immutable backup status, malware scan, restore test, last-known-good age, and re-wipe-loop prevention.
• Add synthetic social engineering classification and verification guidance for deepfake audio/video and BEC-style payment/access requests.
• Add privilege/work-product handling and need-to-know distribution to executive notification guidance.
• Extend report output with materiality, cloud identity, wiper backup integrity, and synthetic social engineering sections.
• Add six YAML fixtures covering missing materiality evidence, executive notice without privilege handling, cloud exfiltration with network-only containment, wiper restore without backup integrity, deepfake BEC without verification, and a complete evidence package.

Validation

• git diff --check
• Parsed all 6 YAML fixtures successfully
• Markdown fence balance check
• Marker/content scan for IR-MAT, materiality, 4-business-day, privilege handling, cloud identity, wiper backup integrity, synthetic social engineering, Not Evaluable, and 1.0.2
• Live reference checks returned HTTP 200 for Microsoft Entra sign-in session revocation, CISA Secure by Demand, NIST AI RMF, and CISA reporting; SEC source is included but blocks simple automated curl from this environment
• Privacy scan for local paths, personal email, and workspace identifiers

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method can be coordinated privately after maintainer acceptance.

/claim #1447