Add GCP Artifact Registry and org policy evidence gates

[alan747271363-art]

Summary

• add GCP organization policy inheritance/drift evidence so project-level overrides are not treated as compliant without parent policy context
• add Artifact Registry / Artifact Analysis scanning gates for repository inventory, Container Scanning API enablement, repository-level scan settings, and remote repository upstream review
• add Confidential VM applicability evidence before scoring sensitive workloads
• add a documented hybrid service-account-key exception gate so user-managed keys are not blanket-classified without role, rotation, storage, owner, and migration evidence

Scope notes

Addresses #1111. This stays scoped to gcp-review and uses existing CIS sections plus supplemental Google Cloud evidence rather than inventing new benchmark IDs.

Official references used:

• Artifact Analysis automatic scanning: https://cloud.google.com/artifact-analysis/docs/enable-automatic-scanning
• Artifact Registry remote repositories: https://cloud.google.com/artifact-registry/docs/repositories/remote-repo
• Organization Policy constraints and inheritance behavior: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
• Confidential VM overview: https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview

Validation

• git diff --check
• markdown fence balance check for changed files
• required frontmatter field check
• changed-file prompt-safety keyword scan
• final open PR search for direct [REVIEW] gcp-review: add Artifact Registry vulnerability scanning and Organization Policy 'Drift' gates #1111 / Artifact Registry / Organization Policy overlap

Bounty

Skill Improvement / Improver candidate. Payment details can be provided privately after maintainer acceptance.