/claim #2222

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources (not blogs or AI output)
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with at least one AI coding agent (which one: OpenAI Codex)
• No prohibited patterns per SECURITY.md
• index.yaml updated with new skill entry (not applicable: existing skill only)

What This PR Does

Adds the #2222 closure-evidence and tuning-handoff gates to skills/secops/alert-triage/SKILL.md so BTP/FP dispositions require auditable closure evidence instead of analyst memory alone.

The update adds:

• source-of-truth and owner-confirmation requirements before BTP/FP closure;
• time/scope fit checks for maintenance, emergency, privileged, regulated, and customer-managed activity;
• temporary exception expiry and customer approval requirements;
• recurrence-driven detection-engineering handoff fields;
• output template sections for closure evidence and tuning handoff;
• a common pitfall and v1.0.1 changelog entry.

Framework References

• NIST SP 800-61 Rev 2 detection, analysis, documentation, prioritization, and escalation guidance
• MITRE ATT&CK v16 technique/tactic context used for alert correlation and tuning safety constraints

Testing

• git diff --check
• Frontmatter required-field check over skills/ and roles/
• Index file existence check for index.yaml entries
• Prompt-injection pattern scan equivalent to the repository workflow
• Targeted rg checks for version and new sections