feat(skill): tenant-aware-cache-key-review — reviews cache keys for tenant leakage

[daviediao-code]

What this PR does

Adds tenant-aware-cache-key-review skill for multi-tenant applications. Reviews cache keys for tenant leakage, authorization-before-cache-hit, and access-change invalidation.

Linked approved issue (required for new skills)

Closes #2573

Type of change

• New skill

Reproduction — independently runnable (required)

• Public link to the full run: https://github.com/daviediao-code/SecuritySkills/tree/feature/cache-key-review/skills/secops/cache-key-review
• Target codebase (public repo URL) at a pinned commit SHA: daviediao-code/SecuritySkills@e3ec84c
• Exact command / tool invocation used: cat skills/secops/cache-key-review/SKILL.md followed by cat skills/secops/cache-key-review/tests/vulnerable/tenant-scoped-key-missing.json

Discrimination evidence — true positive AND true negative (required)

• True positive (vulnerable case it correctly flagged), with file:line:
  skills/secops/cache-key-review/tests/vulnerable/tenant-scoped-key-missing.json — flags cache key without tenant scope (OWASP-API-Security-2023-A07)
• True negative (safe case it correctly did NOT flag), with file:line:
  skills/secops/cache-key-review/tests/benign/tenant-scoped-key-present.json — correctly passes when tenant scope is present

Framework grounding

• Frameworks / control IDs used:
  • OWASP API Security Top 10 2023 — A07: Identification and Authentication Failures
  • NIST SP 800-145 — The NIST Definition of Cloud Computing
  • RFC 9110 — HTTP Semantics: Cache-Control headers

Attestation & checklist

• The reproduction above is from a real run I performed (no fabricated output)
• SKILL.md follows format specification in CONTRIBUTING.md / SKILL_TEMPLATE.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with vulnerable and benign fixtures
• No prohibited patterns per SECURITY.md / injection scan workflow
• index.yaml updated with new skill entry

Requested bounty tier: Intermediate ($350)

Payment details can be provided privately after maintainer acceptance.

[daviediao-code]

Hi @kamalsrini — just bumping this PR for review when you have a moment. The skill tenant-aware-cache-key-review is ready for review with test fixtures and updated index.yaml. Requested bounty tier: Intermediate ($350). Thank you!

[daviediao-code]

Hi @kamalsrini, checking in on this PR. Happy to address any feedback. The skill tenant-aware-cache-key-review is complete with test fixtures and index.yaml update. Thank you!