Improve LLM vector namespace authorization gates

[MAUROCERON]

Summary

Implements #1325 by strengthening the llm-top-10 skill's RAG authorization review coverage for vector namespace, ingestion/backfill, ACL metadata, revocation, debug/admin search, and hybrid retrieval edge cases.

Changes

• Adds RAG authorization evidence collection for namespace/index/collection mapping, ACL metadata, backfill writer identity, debug/admin paths, and permission-change propagation.
• Expands LLM02, LLM04, and LLM08 guidance so reviewers distinguish superficial user-facing filters from enforced vector-store authorization boundaries.
• Adds a new edge-case fixture covering tenant-isolated retrieval, shared default namespace backfills, post-filter-after-top-k leakage, stale ACL metadata, hybrid BM25/vector drift, and auto-created shadow tenants.
• Updates the LLM08 reference URL and adds official vector-store references for namespace/filter behavior.

Validation

• Markdown fence balance checked locally for both changed files.
• Remote branch content fetched and checked for marker presence plus encoding corruption.
• Official references checked with HTTP 200: OWASP LLM08, Pinecone namespaces/concepts, Pinecone metadata filtering, Weaviate multi-tenancy, and Qdrant filtering.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.