feat(zero-trust-assessment): add private app connector fail-open gates (#2744)

[zeroknowledge0x]

Summary

Adds private app connector fail-open gates to the zero-trust-assessment skill so that zero-trust access does not degrade into implicit trust when ZTNA connectors fail, lose policy sync, or encounter network conditions that bypass enforcement.

Business impact: Many ZTNA deployments silently fail-open during connector outages — traffic reaches internal apps without policy enforcement, VPN fallback activates granting network-level trust, or split DNS exposes direct private IP addresses. This gap means organizations believe they have zero-trust enforcement when they actually have perimeter-level trust behind a ZTNA façade.

Addresses #2744.

Changes

1. Seven new Network pillar findings (ZT-NET-12 through ZT-NET-18)

• ZT-NET-12: Connector fail-open — outage silently bypasses enforcement
• ZT-NET-13: Health check reports healthy while policy sync is stale
• ZT-NET-14: Split DNS exposes direct private app address
• ZT-NET-15: Emergency bypass persists after recovery (no expiry/owner/audit)
• ZT-NET-16: VPN fallback during connector outage
• ZT-NET-17: Private apps reachable from trusted networks without connector
• ZT-NET-18: Fail-open mode never validated empirically

2. Private App Connector Fail-Open Gates subsection

• 6-step fail-open test procedure with expected fail-closed behavior and fail-open red flags:
  1. Disable connector → verify controlled denial
  2. Revoke policy sync → verify stale policy rejection
  3. Test direct route to private app IP → verify firewall blocks
  4. Resolve private app FQDN → verify no split DNS leak
  5. Check VPN fallback → verify no silent fallback
  6. Test from trusted network → verify connector still required
• Bypass governance requirements table: owner, expiry, audit trail, scope, notification
• Edge cases: health check vs sync staleness, persistent bypass, split DNS, passive mode, multi-connector inconsistency

3. Connector Enforcement maturity criteria row

Added to the Networks maturity assessment table mapping Traditional → Optimal progression.

4. Common Pitfall #8

"Assuming connectors fail closed" — warns that ZTNA products often default to fail-open for availability.

5. Version bump to 1.1.0

Issue coverage

Every element from the issue is addressed:

• ✅ "Add fail-open test: disable connector, revoke policy sync, test direct route, test DNS, and record outcome" → 6-step test procedure
• ✅ "Require bypass owner, expiry, and audit trail" → Bypass Governance Requirements table
• ✅ "Flag private apps reachable without policy enforcement" → ZT-NET-17 finding + test procedure steps 3, 6
• ✅ "Connector health check passes while policy sync fails" → ZT-NET-13 + edge case 1
• ✅ "Split DNS exposes direct private address" → ZT-NET-14 + edge case 3
• ✅ "Emergency bypass persists after outage" → ZT-NET-15 + edge case 2

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).