[Security audit] Add evidence classification to posture and findings

[cssbruno]

Problem

gowdk audit currently reports posture facts and pass/fail findings, but it does not classify the kind of evidence behind each security statement. Static IR can prove some facts, runtime generated tests can prove others, and app-owned auth/session/resource authorization can only be declared or marked unverified.

Verified in this checkout:

• cmd/gowdk/audit.go reports version, status, summary, findings, and manifest.
• internal/securitymanifest.SecurityManifest records routes, endpoints, contracts, frontend facts, guards, CSRF, body limits, public/default-deny state, and source locations.
• There is no evidence-state field on posture entries or audit findings.

Acceptance criteria

• Add an evidence classification model for posture items and findings, with at least:
  • verified-static
  • verified-runtime
  • declared
  • unverified-app-owned
  • not-applicable
  • waived
• Classify guard/CSRF/body-limit/header/raw-HTML facts according to what the compiler/runtime actually verifies.
• Mark app-owned authentication, session rotation/storage, tenant/resource authorization, and domain authorization obligations honestly instead of implying static proof.
• Include evidence state in human output, --json, and gowdk-security.json.
• Define how unresolved unverified-app-owned obligations affect production reports and CI.
• Add docs/examples showing how a project records app-owned evidence without GOWDK owning auth/session/resource logic.