Improve segmentation failover route gates

[DENGXUELIN]

/claim #2074

Skill Improvement ($50-150 Bounty)

Related review issue: #2074

Summary

This improves segmentation by adding failover route bypass evidence gates so normal-state diagrams are not treated as proof that segmentation survives HA, cloud route propagation, transit, peering, VPN, Direct Connect, ExpressRoute, NAT, or asymmetric return-path changes.

Changes

• Add SEG-FAIL-01 through SEG-FAIL-08 evidence gates.
• Require high-risk zone-pair inventory, normal and failover effective routes, PEP traversal in both states, transit/peering/VPN bypass checks, denied-flow tests before and after failover, standby deny/default-deny and logging preservation, return-path checks, and monitoring/retest triggers.
• Extend the output format with Failover Route Evidence inventory and gate results.
• Add skill-local benign and vulnerable JSON fixtures.

Bounty Tier

• Minor ($50) - Small improvements, typo fixes, minor clarifications
• Moderate ($100) - Adds meaningful coverage, new validation gates, or useful fixtures
• Substantial ($150) - Major restructuring, broad new coverage, or comprehensive test suite additions

Validation

• git diff --cached --check
• git diff --check origin/main...HEAD
• JSON parse check for both fixtures
• Markdown fence balance check
• marker checks for SEG-FAIL-01 through SEG-FAIL-08
• added-line realistic-secret-pattern scan
• git merge-tree --write-tree origin/main HEAD matches HEAD^{tree}
• fork branch pushed; remote branch commit verified against local HEAD

Payment preference

GitHub Sponsors, if accepted.