Summary

• add a hit-counter freshness evidence gate for unused-rule review
• require counter baseline, policy install/commit history, uptime and HA reset history, flow-log cross-checks, object lifecycle, and owner/ticket evidence before recommending removal
• add vulnerable and benign fixtures for decommissioned zero-hit rules versus recently reset counters with active flow logs

Validation

• git diff --check origin/main...HEAD
• Markdown fence balance check
• Added-line ASCII check
• Content marker check for hit-counter freshness, counter baseline, policy install, HA failover, flow-log cross-check, owner/ticket, and decommissioned evidence
• git merge-tree --write-tree origin/main HEAD

Closes #1670

Bounty request: Improver Moderate / USD 100 if accepted.