Improve patch exception rollback governance

[shensz2017]

Summary

Closes #2116.

Adds exception aging and rollback readiness gates to patch-prioritization so deferred patches preserve the original SLA clock, renewal count, compensating-control freshness, rollback evidence, dependency order, and post-patch validation instead of hiding long-running risk behind renewed deadlines.

What changed

• Bumped patch-prioritization to 1.0.1.
• Added Step 7: Exception Aging and Rollback Readiness.
• Added exception aging evidence for:
  • original SLA retention
  • exception age
  • renewal count
  • auto-renewal blocking
  • escalation for repeated P0/P1/P2 extensions
  • closure criteria
• Added rollback readiness evidence for:
  • tested rollback
  • backup/snapshot freshness
  • dependency ordering
  • go/no-go criteria
  • post-patch validation
  • residual-risk updates
• Added PATCH-GOV-01 through PATCH-GOV-08 finding triggers.
• Added an Exception Aging and Rollback Readiness table to the report template.
• Added vulnerable and benign fixtures under skills/vuln-management/patch-prioritization/tests/.

Validation

• git diff --cached --check
• Frontmatter required-field check matching .github/workflows/lint-skills.yml
• index.yaml file-existence check matching .github/workflows/validate-index.yml
• Markdown code fence balance check for changed Markdown files
• ASCII-only check for changed files
• Prompt-injection scan matching .github/workflows/injection-scan.yml
• Patch governance marker check for PATCH-GOV-*, Exception Aging and Rollback Readiness, original SLA retention, renewal count, auto-renewal block, rollback readiness, post-patch validation, and compensating-control freshness
• Fixture marker check for auto-renewal/rollback-gap failures and controlled rollback-ready exception evidence

Note: YAML parser validation was attempted, but a local YAML parser was not available (yaml Node module unavailable; Ruby and PyYAML also unavailable in this environment).

References

• CISA BOD 22-01: https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities
• NIST SP 800-53 Rev. 5: https://csrc.nist.gov/Pubs/sp/800/53/r5/upd1/Final
• CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Bounty

Requesting Improver - Moderate ($100). Preferred payment method: GitHub Sponsors if accepted, otherwise private payment details can be provided after acceptance.