Rip out compensating-controls framework (#359)

## Summary

Removes the compensating-controls (CC) framework. Prowler and Kingfisher continue to run weekly and produce reports; the Prowler mutelist YAML files stay in place but no longer carry \`CC: <id>\` prefixes — each entry now just keeps a free-form \`Description\` of why it's muted.

The CC review cadence proved to be more process overhead than this single-operator homelab needed.

## What changed

**Deleted**
- \`compensating-controls.yaml\` — the CC registry
- \`mise-tasks/review-compensating-controls\` — the staleness-review task
- \`docs/how-to/operations/review-compensating-controls.md\`
- \`docs/how-to/operations/record-review-evidence.md\` (was aspirational)
- \`docs/explanation/compliance-mute-categories.md\` (proposed-future CC/NA/RA work)
- 5 orphan \`+review-cc-*\` / \`+compliance-mute-categories\` changelog fragments

**Modified**
- 6 mutelist YAML files: stripped \`CC: <id>.\` prefix from every \`Description\` / \`statement\` field, kept the free-form text
- \`mise-tasks/review-compliance-reports\`: removed CC mentions from docstrings, panel text, and the node-verification table title. Node-verification logic itself is unchanged.
- \`docs/reference/operations/security.md\`: removed the "Compensating controls" section
- \`docs/how-to/operations/read-compliance-reports.md\`: rewrote step 3 of "Acting on findings" to point at the mutelist YAML directly
- \`docs/changelog.d/prowler-iac-mutelist.infra.md\`: rewrote to drop the "two new compensating controls" framing

## What did not change

- All Prowler manifests (cronjobs, RBAC, PVs, kustomization) — scans still run on the same schedule
- The Kingfisher deployment
- The trivy-shim in the Prowler container — that's about Trivy ignorefile plumbing, independent of the CC concept
- The mutelist entries themselves — each \`Resources\` list is unchanged; only the prose of \`Description\` was edited
- \`CHANGELOG.md\` — historical releases are left as-is

## Test plan

- [ ] Wait for human review before deploying — once merged, re-point ArgoCD: \`argocd app set prowler --revision main && argocd app sync prowler\` (no manifest changes besides the ConfigMap, so impact is limited to muted-finding descriptions in next week's report)
- [ ] Confirm next weekly Prowler K8s CIS run (Sunday 3am) still completes and produces a report on sifaka
- [ ] Confirm next weekly Prowler IaC run still honors \`trivyignore.yaml\` (the trivy shim is untouched but the ignorefile content was rewritten)
- [ ] \`mise run review-compliance-reports\` — verify node-verification block still runs and prints the renamed table title

Reviewed-on: #359

argocd/manifests/prowler/mutelist/trivyignore.yaml

@@ -14,26 +14,24 @@ misconfigurations:
     paths:
       - "argocd/manifests/external-secrets/rbac.yaml"
     statement: >-
-      CC: operator-purpose-bound-rbac. external-secrets-operator's entire
-      function is to read and synthesize Secret objects; ClusterRole over
-      secrets is its purpose. Both the controller and cert-controller are
+      external-secrets-operator's entire function is to read and
+      synthesize Secret objects; ClusterRole over secrets is its
+      purpose. Both the controller and cert-controller are
       upstream-defined.
   - id: KSV-0041
     paths:
       - "argocd/manifests/kube-state-metrics/rbac.yaml"
       - "argocd/manifests/kube-state-metrics-ringtail/rbac.yaml"
     statement: >-
-      CC: kube-state-metrics-metadata-only. KSM exposes only Secret
-      metadata (name, namespace, type, labels), never the data field.
-      list/watch on secrets is required for kube_secret_info /
-      kube_secret_labels metrics.
+      KSM exposes only Secret metadata (name, namespace, type, labels),
+      never the data field. list/watch on secrets is required for
+      kube_secret_info / kube_secret_labels metrics.
   - id: KSV-0114
     paths:
       - "argocd/manifests/external-secrets/rbac.yaml"
     statement: >-
-      CC: operator-purpose-bound-rbac. cert-controller manages the
-      external-secrets validating webhook configurations to inject its
-      own rotating CA bundle. RBAC is scoped to two named webhooks
-      (secretstore-validate, externalsecret-validate) via resourceNames;
-      KSV-0114 doesn't see the resourceNames restriction so reports the
-      full ClusterRole.
+      cert-controller manages the external-secrets validating webhook
+      configurations to inject its own rotating CA bundle. RBAC is
+      scoped to two named webhooks (secretstore-validate,
+      externalsecret-validate) via resourceNames; KSV-0114 doesn't see
+      the resourceNames restriction so reports the full ClusterRole.