Improve segmentation effective policy decision gates

[MAUROCERON]

Implements #1394.

Summary

• Adds an effective policy decision and shadowing evidence gate to the segmentation skill.
• Requires runtime labels, selector resolution, enforcement mode, tier/order/default action, deny precedence, and expected-vs-observed flow evidence before marking a restricted flow as passing.
• Adds edge-case fixtures for Kubernetes broad allow shadowing, Calico Pass fallthrough, Cilium deny/allow overlap, complete effective decision matrices, and manifest-only evidence gaps.

Validation

• Markdown fence balance check for touched files.
• ASCII scan for touched files.
• Marker checks for selector resolution, tier/order/default action, deny precedence, expected vs observed, Calico Pass, Cilium deny, and Not Evaluable.
• Reference URL checks for Kubernetes NetworkPolicy API, Calico tiered policy, and Cilium deny policies.
• Private payment details were not included in files or public issue/PR text.

Payment details can be provided privately after maintainer acceptance.