Add access review SoD evidence fixtures

[jddark62]

Summary

• adds AR-SOD-08 through AR-SOD-14 evidence gates for SoD rule provenance, transaction-path proof, cross-system toxic combinations, scope false-positive guards, compensating-control operation, JIT/emergency activation evidence, and certifier independence
• adds a SoD evidence model and severity calibration so role-name matches are not over-scored without effective transaction capability
• extends the report output with a SoD Evidence Summary table
• adds seven YAML fixtures covering confirmed production toxic access, sandbox/zero-limit false positives, missing rule provenance, unmapped cross-system paths, paper-only compensating controls, complete JIT activation evidence, and self-certified exceptions

Validation

• git diff --check
• frontmatter parse check
• Markdown fence balance check
• YAML fixture parse check: 7 blocks
• required marker check for AR-SOD-08 through AR-SOD-14
• privacy marker scan

/claim #889

Payment details can be coordinated privately after maintainer acceptance.