Add patch deferral revalidation gates

[jddark62]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: patch-prioritization
Skill path: skills/vuln-management/patch-prioritization/

What Was Wrong

Fixes #1401.

The skill documented compensating controls, risk exceptions, expiration dates, and review dates, but did not require event-driven revalidation while a vulnerability remained deferred or under exception. That can make a previously valid exception look safe after the vendor releases a patch, the CVE enters CISA KEV, EPSS surges, exploit code becomes public, asset exposure changes, or compensating controls fail.

What This PR Fixes

• Adds a deferred vulnerability revalidation step for active exceptions and deferred patch decisions.
• Adds trigger coverage for vendor patch/workaround release, KEV/BOD deadline, EPSS surge, public exploit, active exploitation, exposure drift, scanner/source-feed freshness, compensating-control failure, and ownership/scope changes.
• Defines revalidation requirements: last/next revalidation date, triggers checked, evidence source and feed timestamp, resulting action, patch-available deadline, mandatory due date, control retest evidence, and human approver.
• Adds cadence expectations by original SLA tier.
• Adds exception-health modifiers so stale exceptions or untested controls downgrade patch posture.
• Extends the report with risk-exception revalidation fields and a dedicated Deferred Vulnerability Revalidation table.
• Adds fixture cases for patch availability, KEV/BOD/EPSS escalation, exposure drift, failed compensating controls, no-material-change revalidation, stale/unavailable source feeds, and mandatory due-date handling.

Evidence

Before (false positive patch posture):

exception:
  cve: CVE-2026-12345
  status: approved
  reason: vendor patch unavailable
  review_date: "2026-09-01"
  compensating_control: waf_rule
current_state:
  vendor_patch: released
  cisa_kev: listed
  epss_30_day_change: +0.42
  asset_exposure: internet_facing

The old skill could leave this exception valid until the scheduled review date.

After (now correctly handled):
The skill requires immediate revalidation when patch availability, KEV/BOD, EPSS, exploitability, exposure, scanner/source freshness, or compensating-control evidence changes. The report must record triggers checked, evidence freshness, mandatory due dates, control retest state, resulting action, new deadline when applicable, and human approval for continued risk acceptance.

Test Cases Added/Updated

• Added edge-case fixtures: skills/vuln-management/patch-prioritization/tests/deferred-revalidation-gates.md
• Existing content sanity checks pass

Validation performed:

• Ruby YAML.safe_load parsed all 7 YAML fixtures
• git diff --check
• Added-line ASCII scan
• Privacy scan for local paths/personal-name fragments

Bounty Tier

• Minor ($50) — Doc update, small logic tweak, typo fix
• Moderate ($100) — New edge case coverage, FP reduction with evidence
• Substantial ($150) — Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: To be provided privately if awarded

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method can be coordinated privately after maintainer acceptance.

/claim #1401