skills(security-scan): add reference.md

Progressive-disclosure reference per Anthropic's skill authoring
best practices — loaded when triaging security-scan findings.
Covers the AgentShield and zizmor rule catalogs (grouped by what
each rule protects against, with default severity), common false
positives (doc-listed token prefixes, excessive-permissions on
workflow-level blocks, trusted-context template injection), a
severity decision tree, four worked fix recipes (unpinned action,
template injection, overly broad permissions, hardcoded token),
and how to suppress rules correctly (with a *reason*, not just
*that*).

SKILL.md now links reference.md in its Reference section.

Author: jdalton

.claude/skills/security-scan/SKILL.md

@@ -81,3 +81,9 @@ The agent:
 Output a HANDOFF block per `_shared/report-format.md` for pipeline chaining.
 
 Update queue: `status: done`, write `findings_count` and final grade.
+
+---
+
+## Reference
+
+For rule catalogs (AgentShield + zizmor), common false positives, severity decision tree, and fix recipes — load [reference.md](./reference.md) when triaging findings.