Add API idempotency and replay evidence gates

[Dolpme]

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources (not blogs or AI output)
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with at least one AI coding agent (which one: Codex)
• No prohibited patterns per SECURITY.md
• index.yaml updated with new skill entry (if adding a skill; not applicable, existing skill only)

What This PR Does

Addresses #1682.

This improves skills/appsec/api-security by adding idempotency and replay evidence gates for state-changing operations. The update focuses on REST create/update/delete endpoints, GraphQL mutations, webhooks, async event consumers, queue workers, and job APIs where retries or duplicate delivery can repeat a side effect.

Summary:

• Adds a cross-cutting idempotency/replay evidence gate to SKILL.md.
• Adds API-REPLAY-* finding IDs for missing duplicate controls, weak key binding, non-atomic duplicate detection, unsafe retry responses, duplicate event handling gaps, missing replay windows, weak concurrency evidence, and missing duplicate/replay alerting.
• Extends the output template with an idempotency and replay control matrix.
• Adds detailed API6 checklist guidance, failure examples, evidence requirements, and finding IDs in api-top10-checklist.md.
• Adds a common pitfall warning that retries are not harmless for state-changing operations.

Framework References

• OWASP API Security Top 10:2023 API4 and API6 risks
• OWASP ASVS
• OWASP REST Security Cheat Sheet
• OWASP GraphQL Cheat Sheet

Testing

• git diff --check: passed; only existing Windows line-ending warnings were reported.
• PowerShell equivalent of lint-skills.yml frontmatter check: passed for all skills/ and roles/ SKILL.md files.
• PowerShell equivalent of validate-index.yml: all files listed by index.yaml exist.
• PowerShell equivalent of injection-scan.yml: no prompt injection patterns detected.
• Markdown fence-balance check: passed for edited files.
• Targeted issue coverage check: confirmed idempotency/replay gate, REST state-changing endpoints, GraphQL mutations, webhooks, event consumers, async job APIs, actor/tenant/operation/payload binding, atomic duplicate detection, safe retry response behavior, replay windows, all API-REPLAY-* IDs, output matrix, and retry pitfall are present.
• Official reference availability checked with HTTP 200 for OWASP API Security Top 10, OWASP ASVS, OWASP REST Security Cheat Sheet, and OWASP GraphQL Cheat Sheet.