feat(secure-code-review): add HTTP parser boundary and request smuggling review gates

[RanuK12]

Summary

Adds Step 2.4: HTTP Parser Boundary and Request Smuggling Review to the secure-code-review skill, addressing #1174. This closes a critical coverage gap: the skill previously had no gate for HTTP request smuggling / parser-boundary issues, leaving two failure modes uncovered.

Skill Modified

• Skill name: secure-code-review
• Skill path: skills/appsec/secure-code-review/
• Version bump: 1.0.0 → 1.0.1

What This PR Fixes

False Positive Reduction

The skill now explicitly requires parser mismatch evidence before classifying CWE-444. Large headers, long timeouts, raw-body access, or a reverse proxy in the path are NOT findings by themselves. A concrete false-positive example (Go http.Server with ReadHeaderTimeout + MaxHeaderBytes, no proxy) is documented as "Informational at most."

New Coverage (Step 2.4)

1. Evidence table — 7-row inventory (frontend component, backend parser, protocol translation, boundary header policy, raw-body path, conflict handling, route impact)
2. Vulnerable patterns by stack:
   • Nginx → Node.js: forwarding attacker-controlled Transfer-Encoding
   • Express: global raw-body middleware before framework parser
   • HTTP/2-to-HTTP/1 downgrade without pseudo-header normalization
   • Serverless adapter: base64 body re-encoding without Content-Length recalculation
   • Duplicate Content-Length headers across proxy layers (HAProxy)
   • Global webhook raw-body middleware consuming stream for all routes
3. Benign patterns (FP guidance):
   • Go http.Server with strict parser and bounded limits (no proxy)
   • Route-scoped raw body for webhook signature verification
   • Nginx with proper hop-by-hop header stripping
   • HAProxy with strict duplicate-header rejection
   • Python Flask behind Cloudflare with standard normalization
4. Review checklist — 10 items covering proxy inventory, CL/TE normalization, duplicate headers, hop-by-hop stripping, HTTP/2 downgrade, raw-body scoping, serverless Content-Length recalculation, integration tests, severity classification, and FP avoidance
5. Boundary Evidence field added to Findings Classification table
6. CWE-444 added to supplemental coverage table
7. Pitfall intel: devsecops/compliance social updates 2026-03-25 #6 added to Common Pitfalls section
8. References: OWASP WSTG request smuggling, CWE-444, RFC 9110, Node.js HTTP docs

Test Cases Added

• tests/vulnerable/ — 6 code samples that SHOULD trigger Step 2.4 (CWE-444)
• tests/benign/ — 5 code samples that should NOT be flagged as CWE-444

Acceptance Criteria Mapping

Criterion from #1174	How it is addressed
CL/TE conflict handling	Checklist item + vulnerable pattern #5 (duplicate CL)
Duplicate headers	Checklist item + vulnerable pattern #5
Hop-by-hop header stripping	Checklist item + vulnerable pattern #1 remediation + benign pattern #3
HTTP/2 downgrade	Vulnerable pattern #3 + checklist item
Raw-body scoping	Vulnerable patterns #2, #6 + benign pattern #2 + checklist item
Serverless adapters	Vulnerable pattern #4 + checklist item
Integration tests through proxy path	Checklist item
False positive reduction (Go benign)	Benign pattern #1 + pitfall #6 + "Critical principle" callout
Boundary Evidence in findings	New field in Findings Classification table

Validation

• Markdown fence balance: 56 fences, balanced
• ASCII scan: all ASCII
• Required markers present: CWE-444 (13), Boundary Evidence (1), Content-Length (13), Transfer-Encoding (13), HTTP/2 (8), raw-body (10)
• Prohibited prompt-injection pattern scan: clean
• Reference URLs: OWASP WSTG, CWE-444, RFC 9110, Node.js docs all valid

Bounty Info

I have read and agree to the CONTRIBUTING.md bounty terms.

Bounty tier: Moderate ($100) -- new edge case coverage, FP reduction with evidence
Preferred payment: PayPal (details available privately after acceptance)

Closes #1174