docs: add segmentation validation evidence gates

[catcherintheroad-hub]

Summary

Adds segmentation validation evidence gates to segmentation so zone boundaries are proven with denied-path, allowed-path, exception, and failover evidence instead of diagrams alone.

Changes

• Added SEG-TEST-01 through SEG-TEST-08 for test matrix gaps, denied-path proof, exception governance, failover/bypass tests, representative test sources, CDE/crown-jewel validation, post-change retesting, and evidence references.
• Added required evidence fields for test matrices, test sources, denied-path proof, allowed-path proof, exception registers, and failover evidence.
• Added validation decision guidance for diagram-only segmentation, untested denied paths, active exceptions, admin-only test sources, and failover route changes.
• Extended the output template with a Segmentation Validation Evidence table.
• Added pitfalls for testing only permitted paths, permanent temporary exceptions, and ignoring failover/alternate routing paths.
• Added edge-case fixtures for diagram-only CDE segmentation, migration exceptions without expiry, and failover transit paths that were not tested.

Validation

• git diff --check
• Added-line non-ASCII scan
• Added-line prompt-injection marker scan
• Markdown code fence balance check for touched files

Related issue

Created from review issue: #1349

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6a8659dd3f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require control-side proof for denied paths

For denied-path validation, raw command output is not enough to prove that a boundary control blocked traffic: a timeout or connection refusal can also mean the destination host is down, the route is broken, or no service is listening. In those cases the skill can mark an untested or ineffective boundary as validated, especially for CDE/crown-jewel paths. Please require firewall/flow-log/packet-capture evidence, or pair command output with evidence that the target service is reachable from an authorized source on the same port.

Useful? React with 👍 / 👎.