Add scanner CVSS threat provenance gates

[minorstep]

/claim #1132

Summary

Updates scanner-tuning as an Improver-tier skill improvement for #1132. The change makes CVSS v4.0 Threat metric provenance first-class during scanner severity normalization, so Base-only scores are not presented as final tuned severity without supporting Threat and Environmental evidence.

What changed

• Added CVSS score provenance context for vector source, source date, and score type.
• Added a CVSS Threat metric evidence gate for E:A, E:P, E:U, and E:X with source/date requirements.
• Added CVSS-B, CVSS-BT, CVSS-BE, and CVSS-BTE score labelling.
• Updated severity override and cross-scanner correlation guidance so NVD Base is a baseline input, not automatically the final tuned severity.
• Added Supplemental metric context for Automatable, Recovery, Value Density, Provider Urgency, Safety, and response-effort signals.
• Expanded the output template with CVSS provenance and Supplemental context fields.
• Added pitfalls for Base-only severity reporting and environmental downgrades hiding active exploitation.

Validation

• git diff --check
• Markdown fence-balance check
• Targeted content assertions for CVSS-B/BT/BE/BTE labels, Threat evidence, vector source/date, Supplemental context, and report output
• Private payout/payment-string scan of the changed skill file
• Live HTTP 200 checks for FIRST CVSS v4.0 specification document, FIRST CVSS v4.0 implementation guide, FIRST CVSS calculator, and CWE. The pre-existing NVD reference returned HTTP 403 from automated access, so it was not treated as a new reference failure.
• Final pre-submit searches found no visible PR referencing [REVIEW] scanner-tuning: add CVSS v4 Threat metric evidence and score provenance #1132, CVSS-BT scanner-tuning, or CVSS v4 Threat metric scanner-tuning.

Bounty note

This is a public Improver-tier submission. Payment details can be provided privately after maintainer acceptance.