Improve SIEM suppression governance gates

[DENGXUELIN]

/claim #1491

Summary

• Adds suppression and exception governance gates to siem-rules.
• Requires owner/ticket/scope/expiry, true-positive replay, before/after counts, residual coverage, lookup or macro review, and stale high-value-asset suppression escalation.
• Adds benign and vulnerable JSON fixtures for governed suppression versus permanent allowlist removal of true positives.

Validation

• git diff --check origin/main...HEAD
• JSON parse check for both fixtures
• Markdown fence-balance and required-marker checks
• Added-line sensitive-pattern scan
• git merge-tree --write-tree origin/main HEAD matched HEAD^{tree}