[REVIEW] api-security: add idempotency and replay evidence gates

[yanziwei]

Problem

api-security maps APIs to the OWASP API Security Top 10, including API6 business-flow abuse and API4 resource consumption, but it does not require reviewers to verify idempotency and replay controls on state-changing operations.

That leaves a practical gap for endpoints that create charges, transfer funds, approve workflows, enqueue jobs, delete resources, process webhooks, or execute GraphQL mutations. Client retries, mobile double-taps, webhook redelivery, queue redelivery, and concurrent duplicate requests can trigger the same side effect more than once unless idempotency keys, nonces, event IDs, atomic uniqueness controls, or equivalent protections are present.

Proposed improvement

Add a state-changing idempotency and replay evidence gate that requires reviewers to collect:

• Inventory of state-changing REST endpoints, GraphQL mutations, webhooks, and async jobs.
• Idempotency key enforcement for high-impact create/charge/transfer/approve operations.
• Replay windows for nonces, timestamps, signatures, and webhook/event IDs.
• Atomic duplicate detection that works across replicas, retries, queues, and failover.
• Safe response behavior for retries: original result or conflict, not a second side effect.
• Binding of idempotency keys/nonces to actor, tenant, operation, and payload hash.
• Concurrency evidence for balance, inventory, quota, approval, and uniqueness-sensitive operations.
• Logging and alerting for duplicate/replay rejects and retry storms.

This should be a documentation-only skill enhancement with no new tool permissions.

[Dolpme]

Implemented in PR #1687: #1687