Add firewall IPv6 service tag evidence gates

[IvanchitorJR]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: firewall-review
Skill path: skills/network/firewall-review/

Related review issue: #2546.

What Was Wrong

The firewall-review skill had strong default-deny, any/any, shadowed-rule, logging, unused-rule, and egress guidance. It only mentioned IPv6 as a common pitfall and did not require reviewers to prove the effective dual-stack path or expand provider-managed abstractions.

That can create false positives and false negatives:

• a public IPv4 rule may look fixed while ::/0 or another public IPv6 path remains open;
• an IPv4-only finding may be overstated if IPv6 is explicitly disabled or equivalently denied across edge, load balancer, cloud firewall, host, and Kubernetes layers;
• a friendly service tag, managed prefix list, CDN/WAF object, or vendor range can hide broad regional/provider exposure unless it is expanded and tied to compensating resource-level controls;
• manually copied provider/CDN ranges can drift without owner, refresh cadence, or failed-refresh alerting.

What This PR Fixes

• Bumps firewall-review to 1.0.1.
• Adds discovery patterns for service tags, prefix lists, provider ranges, CDN/WAF objects, and IPv6/dual-stack fields.
• Adds a Dual-Stack, Service-Tag, and Provider-Range Effective Exposure section.
• Requires IPv6 parity evidence across effective enforcement layers.
• Requires service tag / prefix list / provider range expansion source, timestamp, region/service scope, and CIDR family review.
• Adds compensating-control guidance for broad provider tags: private endpoint, resource policy, identity condition, origin validation, WAF rule, or mTLS.
• Adds provider/CDN drift-management checks and split-enforcement checks across SG/NACL/host/WAF/Kubernetes/service mesh layers.
• Adds finding triggers FW-DUAL-01, FW-DUAL-02, FW-TAG-01, FW-TAG-02, FW-DRIFT-01, and FW-SPLIT-01.
• Extends the report template with a dual-stack/provider-abstraction evidence table.
• Adds paired JSON fixtures for a benign constrained service-tag case and a vulnerable IPv6-any/provider-tag-without-expansion case.

Evidence

Before:
The skill warned that IPv6 rules can be ignored, but did not require proof that IPv6 was disabled/equivalently restricted or that provider tags and prefix lists had been expanded. A reviewer could accept a narrow-looking IPv4 rule or a friendly provider object without seeing the effective reachable surface.

After:
Reviewers must record IPv4/IPv6 evidence, expanded objects/tags, compensating controls, drift management, and split-enforcement status before classifying the firewall rule.

Test Cases Added/Updated

• Added benign fixture: skills/network/firewall-review/tests/benign/ipv6-disabled-service-tag-constrained.json
• Added vulnerable fixture: skills/network/firewall-review/tests/vulnerable/ipv6-any-service-tag-no-expansion.json
• Existing repository-style validations passed locally

Validation

• git diff --check
• git diff --cached --check
• Required frontmatter field check across skills/**/SKILL.md and roles/**/SKILL.md
• index.yaml referenced path existence check
• Markdown fence balance check for skills/network/firewall-review/SKILL.md
• JSON parse checks for both new fixtures
• Marker checks for Dual-Stack, Service-Tag, and Provider-Range Effective Exposure, FW-DUAL-01, FW-DUAL-02, FW-TAG-01, FW-TAG-02, FW-DRIFT-01, FW-SPLIT-01, report table, and changelog
• Workflow-equivalent prompt-injection pattern scan over skills and roles
• ASCII-only check for added fixtures

Duplicate Check

Checked open and closed PRs for:

• firewall-review + IPv6 parity / service tag expansion
• firewall-review + CDN/provider range drift / split enforcement
• firewall-review + service tag / prefix list / IPv6

Related existing firewall work covers DNS/QUIC egress bypasses and cloud object expansion for proxy/egress classification. This PR is scoped to dual-stack effective exposure, IPv6 parity, provider-range drift, and split-enforcement evidence requested by #2546.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, false-positive reduction, and calibration fixtures
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.

[kamalsrini]

Thanks for contributing to SecuritySkills, and for your interest in the project 🙏

We're resetting the contribution queue, so we're closing the currently open PRs — this isn't a reflection of your work, and you're welcome to resubmit.

When you do, please include evidence that the skill was actually used: the skill run against a real repository, with the findings it produced. That's how we recognize genuinely useful contributions, and it's where strong work stands out. The PR template lays out exactly what to include: https://github.com/UnitOneAI/SecuritySkills/blob/main/.github/PULL_REQUEST_TEMPLATE.md