Improve secrets classification and storage evidence

[alan747271363-art]

Summary

• add public-by-design and known non-secret shape filters to reduce false positives on publishable client keys, SRI hashes, git SHAs, lockfile hashes, and UUIDs
• expand current provider prefix coverage and add Kubernetes Secret / base64 decode-and-rescan guidance without printing decoded values
• add storage protection evidence for HSM/KMS-backed high-sensitivity key material and PII stored in secret managers
• add log masking and post-exposure persistence checks for leaked credential remediation

Scope notes

Addresses #1105 and the PII/HSM/log-masking portions of #1108 in one scoped update to secrets-management. No real secret values are added; examples use prefixes, placeholders, or type-only reporting.

Official references used:

• OWASP Secrets Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
• OWASP Logging Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
• Kubernetes Secrets: https://kubernetes.io/docs/concepts/configuration/secret/
• Kubernetes Secrets good practices: https://kubernetes.io/docs/concepts/security/secrets-good-practices/
• NIST SP 800-57 Part 1 Rev. 5 PDF: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf

Validation

• git diff --check
• markdown fence balance check for skills/devsecops/secrets-management/SKILL.md
• required frontmatter field check
• changed-file prompt-safety keyword scan
• final open PR search for direct secrets-management [REVIEW] secrets-management: public-by-design key false positives, base64 K8s Secret misses, dated prefix catalog #1105/[REVIEW] secrets-management: add PII/sensitive-data overlap and HSM/KMS-backed storage gates #1108 overlap

Bounty

Skill Improvement / Improver candidate. Payment details can be provided privately after maintainer acceptance.