Add scanner tuning blackout coverage evidence gates

[minorstep]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: scanner-tuning
Skill path: skills/vuln-management/scanner-tuning/

What Was Wrong

#1528 shows that the skill had scheduling guidance, but did not force reviewers to treat maintenance blackouts, short scan windows, stale authenticated coverage, and missed-host lists as coverage-risk evidence. A policy could look operationally safe while still hiding critical exposure.

What This PR Fixes

• Bumps scanner-tuning to v1.0.1.
• Adds blackout calendar and coverage-freshness context requirements.
• Adds scan-window coverage gap gates for blackout compensation, authenticated freshness, window completion, patch validation timing, and emergency CVE scans.
• Extends the output with explicit scan-window coverage controls.
• Adds calibration fixtures for compensated blackout windows, stale quarter-end freeze coverage, short-window misses, post-remediation validation, and missing emergency CVE paths.

Closes #1528.

Evidence

Before (skill misses this / false positive on this):

Scan Policy: PROD-WINDOW-ONLY
Schedule: Sunday 02:00-06:00 local time
Maintenance blackout: no scans during last 10 days of quarter
Authenticated scan: enabled
Last completed scan for critical hosts: 46 days ago
Patch SLA closure: based on pre-remediation scan

After (now correctly handled):

coverage_evidence_gate: Stale blackout coverage
expected_decision: finding_expected
required_checks:
  - catch-up scan or risk acceptance after blackout
  - authenticated scan freshness by asset tier
  - skipped-host and timeout reporting
  - post-remediation scan before SLA closure
  - emergency CVE targeted scan path

Test Cases Added/Updated

• Added calibration fixtures in skills/vuln-management/scanner-tuning/tests/scan-window-coverage-fixtures.md
• Existing prompt-injection and allowed-tools constraints preserved
• Existing markdown/frontmatter structure still validates locally

Bounty Tier

• Minor ($50) — Doc update, small logic tweak, typo fix
• Moderate ($100) — New edge case coverage, FP reduction with evidence
• Substantial ($150) — Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: available through the repository-approved payout flow; no private payout details are posted publicly.

Framework References

• CVSS 4.0 remains the severity-validation and environmental-context reference.
• CWE remains the vulnerability-classification reference.
• CIS Controls v8 Control 7 and PCI DSS 4.0 Requirement 11.3 remain the vulnerability-scanning coverage references already used by the skill.

Testing

• git diff --check
• git diff --cached --check
• Local validation for frontmatter version, markdown fence balance, ASCII-only content, and fixture IDs/YAML parse