feat(skill): add patch context freshness gates

[452740336]

Summary

This PR improves the existing patch-prioritization skill for #2502 by adding context freshness TTL checks and reprioritization triggers for patch SLA decisions.

It covers cases where stale context can distort risk-based patching:

• historical internet-exposure labels that overstate urgency after a temporary public endpoint is closed
• stale internal-only labels that understate urgency after an asset becomes internet-facing
• copied or aged CMDB criticality tags that survive service migration or decommissioning
• exploit maturity, KEV, EPSS, and compensating-control changes that should tighten exception deadlines

What changed

• Added context freshness evidence to required input collection.
• Added a "Validate Context Freshness Before Assigning SLA" gate with TTLs for exposure, criticality, exploit maturity, and control verification.
• Added freshness decisions for fresh, stale-escalation-risk, stale-deferral-risk, and not-evaluable states.
• Added tier assignment rules requiring freshness before SLA relaxation.
• Added reprioritization triggers for exposure, criticality, exploit maturity, and exception-basis changes.
• Added a "Context Freshness and Reprioritization Events" output table.
• Added a common pitfall for using stale asset context as current evidence.
• Added 3 vulnerable fixtures and 3 benign fixtures.
• Added a verifier script for the new TTL gates and fixture coverage.
• Quoted existing ISO 27001 framework values in YAML metadata so repository validation can parse them.

Validation

skills/vuln-management/patch-prioritization/scripts/verify-context-ttl-gates.sh
bash -lc 'EXIT_CODE=0; REQUIRED_FIELDS=(name description version author license injection-hardened allowed-tools tags role phase frameworks difficulty time_estimate); FILES=$(find skills/ roles/ -name SKILL.md 2>/dev/null || true); while IFS= read -r file; do FRONTMATTER=$(awk "/^---$/{if(++c==2) exit} c==1" "$file"); for field in "${REQUIRED_FIELDS[@]}"; do if ! echo "$FRONTMATTER" | grep -qE "^${field}:"; then echo "missing $field in $file"; EXIT_CODE=1; fi; done; done <<< "$FILES"; exit $EXIT_CODE'
ruby -e 'require "yaml"; y=YAML.load_file("index.yaml"); paths=(y["skills"]||[]).map{|x|x["file"]}+(y["roles"]||[]).map{|x|x["file"]}; missing=paths.compact.reject{|p| File.file?(p)}; abort("missing paths: #{missing.join(", ")}") unless missing.empty?; puts "index paths ok: #{paths.compact.size}"'
ruby -e 'require "yaml"; Dir["skills/**/SKILL.md"].each{|f| text=File.read(f); fm=text.split(/^---\s*$/,3)[1]; YAML.safe_load(fm, permitted_classes: [], aliases: false) || abort("empty frontmatter #{f}")}; puts "skill frontmatter yaml ok"'
git diff --check
git diff --cached --check
git diff --check HEAD~1..HEAD

AI assistance disclosure

Prepared with Codex assistance and manually validated before submission.

Closes #2502

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).