fix(detector): detect mutated capture subscript replay

[prasannakotyal]

Summary

Targets KG red #148, where custom_kernel mutates a captured container with an input-derived value through .extend(...), then returns a subscript of that same captured container from an input-independent fast path.

This adds a narrow MUTATED_CAPTURE_SUBSCRIPT_REPLAY detector. It requires:

• captured names referenced by the entrypoint but not input parameters or top-level local name targets
• mutation of a captured container through input-derived AugAssign, global assignment, or mutating methods such as .append, .extend, .insert, .update, and .setdefault
• an if replay branch whose test does not reference input parameters
• a call-free replay body returning a subscript of the mutated capture directly, or a local alias assigned from that subscript

Legitimate local containers, input-dependent guards, and replay bodies that perform calls stay out of scope.

KernelGuard-Red-Submission: 148

Local verification

• red_28_list_extend_replay -> MUTATED_CAPTURE_SUBSCRIPT_REPLAY, should_filter=True
• red_25_list_insert_replay -> MUTATED_CAPTURE_SUBSCRIPT_REPLAY, should_filter=True
• red_41_dict_setdefault_replay -> MUTATED_CAPTURE_SUBSCRIPT_REPLAY, should_filter=True
• red_95_dict_comprehension_update_replay -> MUTATED_CAPTURE_SUBSCRIPT_REPLAY, should_filter=True
• clean fixtures in eval_blue_patch.py stayed valid
• uv run python -m py_compile kernelguard.py

[github-actions]

KernelGuard Blue Evaluation

• Evaluation job: 64
• Blue submission: 44
• Result: passed
• Target red submission caught: True
• Validation suite: TP 20/20, FP 20/20
• Surgicalness score: 1.0
• Workflow run: https://github.com/SinatrasC/kernelguard/actions/runs/25238193841

[SinatrasC]

Thanks for the KernelGuard Flywheel Campaign contribution. We are not merging this narrow variant separately because the consolidated rule-family implementation in #273 is the merge path for this detector area.