docs: add scanner suppression lifecycle gates

[catcherintheroad-hub]

Summary

Implements the scanner-tuning coverage gap described in #1103.

What changed

• Adds suppression and exception registers to required context collection.
• Adds a dedicated suppression lifecycle and stale-exception review section.
• Defines required suppression fields: scanner/check ID, asset scope, disposition type, evidence, owner, approver, dates, last-seen state, and reopen conditions.
• Adds a suppression status model: Valid, Needs Review, Expired, and Reopened.
• Adds reopen triggers for plugin updates, exposure drift, compensating-control removal, package changes, authenticated re-scan changes, scanner conflicts, and exploit intelligence changes.
• Adds a suppression/exception register to the output report template.
• Prevents an Optimized rating when global suppressions lack owner, expiry, evidence, or scope.
• Adds prompt-injection guardrails so ticket/scanner/banner text cannot renew or broaden suppressions by itself.

Why

The existing scanner-tuning skill already covers false-positive validation and quarterly re-evaluation, but it did not give reviewers a structured lifecycle register for suppressions. Without owner, scope, expiry, last-seen status, and reopen conditions, a valid short-lived false-positive suppression can become a permanent blind spot.

Validation

• git diff --check
• Markdown code fence balance check
• scanner suppression content marker check
• prompt-injection pattern scan from the repository workflow logic
• frontmatter sweep from the repository workflow logic

Bounty

This is intended as a Skill Improvement / Improver contribution for #1103. Payment details can be provided privately after maintainer acceptance.