Improve segmentation failover route bypass gates

[shensz2017]

Bounty type

Skill Improvement ($50-150 potential bounty)

Requested bounty tier: Moderate ($100)

Related review issue: #2074

Summary

This improves segmentation by adding effective-route, transit bypass, asymmetric routing, and HA failover evidence gates.

The existing skill warns about transit bypass paths and says segmentation should survive failover. This change turns that into concrete review evidence and output fields so reviewers can prove the PEP remains in path during normal and degraded states.

Changes

• Bump segmentation skill version to 1.0.1.
• Add discovery patterns for transit gateways, peering, VPN, ExpressRoute, and Direct Connect artifacts.
• Add Step 7 for effective route and failover bypass evidence.
• Require route table, cloud effective route, PEP, NAT/proxy/load balancer, asymmetric return path, and denied-flow evidence for high-risk zone pairs.
• Add transit/peering/VPN bypass checks and HA failover validation requirements.
• Extend severity guidance and report output with normal vs. failover next-hop evidence.
• Add vulnerable and benign fixtures for failover bypass vs. failover preserving enforcement.

Tests

Added scenario fixtures:

• tests/vulnerable/segmentation-transit-failover-bypass.yaml
• tests/benign/segmentation-failover-preserves-pep.yaml

Local validation performed:

• git diff --check
• verified required YAML keys in both new fixtures
• marker checks for effective route, transit bypass, failover validation, output table, and changelog

Payment preference

GitHub Sponsors, if accepted.