Add VPC Service Controls evidence gates to GCP review

[tick25108-cpu]

Summary

Closes #1169.

This updates gcp-review so VPC Service Controls claims are evaluated as supplemental data-boundary evidence instead of being silently folded into the CIS score.

What changed

• Adds a supplemental VPC-SC review step for sensitive BigQuery, Cloud Storage, and restricted-service environments.
• Separates enforced perimeter state from dry-run spec state so dry-run coverage is not treated as active enforcement.
• Adds evidence fields for perimeter type, enforced resources/services, dry-run deltas, bridge membership, ingress/egress rules, access levels, Shared VPC coverage, routing assumptions, and evidence source.
• Adds checks for broad perimeter bridges, broad ingress/egress rules, missing rendered-state evidence, Shared VPC gaps, and overclaimed VPC-SC boundaries.
• Extends the report template with Supplemental VPC-SC-* findings and a dedicated VPC Service Controls evidence table.
• Adds Google Cloud VPC Service Controls references and bumps the skill version to 1.0.1.

Validation

• git diff --check
• Frontmatter required-field check
• Markdown fence balance check
• Marker checks for VPC-SC-01 through VPC-SC-06, dry-run, bridge, Shared VPC, and the prompt-injection safety notice
• Reference URL checks returned HTTP 200 for the Google Cloud VPC Service Controls overview, dry-run mode, ingress/egress rules, and perimeter bridge documentation

Bounty

Submitting this as an Improver contribution under the repository contribution guidelines. Payment details can be provided privately after maintainer acceptance.