feat: fluxgate v0.4.0 — close mitigation detection gaps from manual triage

Four new detection capabilities based on Red Hat triage analysis:

- Gap 1: Actor guards — detect github.actor == 'bot[bot]' gates (→ info)
  and human actor restrictions (→ downgrade by 1)
- Gap 2: Action-based permission gates — recognize actions-cool/check-user-permission
  and similar third-party permission-checking actions as maintainer checks
- Gap 3: Cross-job needs: gating — follow needs: chains to detect environment
  approval gates on upstream authorize jobs (→ downgrade by 1)
- Gap 4: Path isolation — detect fork code checked out to subdirectory with
  no direct execution, downgrade confidence to pattern-only

Also adds fork guard to Fluxgate's own CI workflow (fixes FG-006 self-finding).

Validated against 11 triage findings: 5 false criticals corrected automatically,
2 false positives eliminated, 2 clean criticals unchanged.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: north-echo

.github/workflows/ci.yaml

@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   build-and-test:
+    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

cmd/fluxgate/main.go

@@ -14,7 +14,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var version = "0.3.0"
+var version = "0.4.0"
 
 func main() {
 	rootCmd := &cobra.Command{