feat: add inline security group rules guidance

[os11k]

Summary

• Add guidance to avoid inline ingress/egress blocks in aws_security_group resources
• Recommend separate aws_vpc_security_group_ingress_rule / aws_vpc_security_group_egress_rule resources (AWS provider v5+)
• Include comparison table explaining why inline rules cause issues (SG recreation, state management, for_each support)
• Update baseline test Scenario 3 with new success criterion

Files Changed

• SKILL.md — Added bullet points to Don't/Do security checklist
• references/security-compliance.md — Added detailed examples, comparison table, and rationale
• tests/baseline-scenarios.md — Added success criterion for inline rule detection

Testing Evidence

Scenario Tested

Scenario 3: Security Scanning Omission (tests/baseline-scenarios.md)

Baseline (WITHOUT changes — marketplace plugin v1.6.0)

• ✅ Flagged public S3 bucket
• ✅ Flagged wide-open security group
• ❌ Did NOT flag inline ingress/egress blocks
• ❌ Suggested fix using inline blocks (perpetuated anti-pattern)

Compliance (WITH changes — local skill with updates)

• ✅ Flagged public S3 bucket
• ✅ Flagged wide-open security group
• ✅ Flagged inline ingress/egress blocks as a distinct issue
• ✅ Recommended aws_vpc_security_group_ingress_rule as replacement
• ✅ Explained conflict/modularity rationale

Key Behavioral Change

Without the skill, the agent perpetuated the inline anti-pattern in its own fix suggestion. With the skill, it identified inline rules as a separate issue and
recommended modern separate rule resources.

Testing Checklist

• Identified affected scenarios from tests/baseline-scenarios.md
• Ran baseline WITHOUT changes (documented above)
• Applied changes
• Ran compliance WITH changes (documented above)
• Verified behavior improvement
• No new rationalizations discovered