feat(skill): add geo-redundant secret replication review

[weilixiong]

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md / SKILL_TEMPLATE.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources: OWASP Secrets Management, NIST SP 800-57 Part 1 Rev. 5, and NIST SP 800-53 Rev. 5
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with Codex against the included vulnerable and benign fixtures
• No prohibited patterns per SECURITY.md / injection scan workflow
• index.yaml updated with new skill entry

What This PR Does

Adds geo-redundant-secret-replication-review, a new DevSecOps/secrets skill for reviewing cross-region secret replication designs. The skill covers:

• primary vs replica decrypt principal parity
• KMS/key vault custody and customer-managed key matching
• residency and approved-region controls
• rotation, delete, disable, incident revocation, and cache invalidation propagation
• break-glass and DR restore approval, attribution, expiry, and audit evidence
• backup/failover precision traps and false-positive guidance

It also adds 3 vulnerable fixtures and 3 benign fixtures for AWS, GCP, and Vault-style DR replication patterns.

Fixes #2426

Requested bounty tier: Intermediate ($350).

Framework References

• OWASP Secrets Management Cheat Sheet
• NIST SP 800-57 Part 1 Rev. 5
• NIST SP 800-53 Rev. 5: AC-3, AU-12, CP-9, SC-12, SC-28, SI-7

Testing

Local validation performed:

• frontmatter required-field check matching .github/workflows/lint-skills.yml
• index file existence and skill_count consistency check
• prompt injection pattern scan matching .github/workflows/injection-scan.yml
• git diff --check

Codex was used to review the included vulnerable and benign fixtures for expected trigger/suppression behavior.