fix(aggregator): classify submit_commitment/get_inclusion_proof failures as unreachable

[vrogojin]

Summary

A real testnet outage on goggregator-test.unicity.network (HTTP 401 Unauthorized on submit_commitment) was being reported as DEGRADED (CLI exit 1) instead of UNREACHABLE (CLI exit 2). Downstream e2e pre-flight gates that only fire on exit 2 silently let test suites run against an aggregator that couldn't accept commitments — producing 35 phantom `Submit failed: [object Object]` failures on the SDK side (companion: sphere-sdk #191 / PR #192 fixes the SDK-side error stringification so the next outage at least surfaces the underlying reason).

Root cause: the verdict logic in src/probes/aggregator.mjs counted ALL failed checks uniformly — one fail = degraded, two fails = unreachable. That treated submit_commitment (the canonical write-path functional check the aggregator EXISTS to serve) as no more important than the diagnostic JSON-RPC plane probe. The CLAUDE.md "False-negative discipline" section explicitly warns against exactly this: "Functional checks are authoritative for the verdict; advisory checks are not."

Fix

• Mark submit_commitment and get_inclusion_proof checks with a new critical: true field (backward-compatible — default falsy).
• Extract verdict computation into a pure exported function computeAggregatorStatus(checks) so the rule is testable network-free.
• New rule:
  1. Any critical-check fail → `unreachable`.
  2. Else ≥ 2 non-critical fails → `unreachable` (legacy preserved).
  3. Else exactly 1 non-critical fail OR any warn → `degraded`.
  4. Else → `healthy`.

Tests

8 new network-free tests in `tests/smoke.test.mjs` pin the rule:

• healthy path
• single non-critical fail → degraded
• warn → degraded
• critical fail (submit_commitment) → unreachable regardless of other passes (the headline reproducer)
• critical fail (get_inclusion_proof) → unreachable
• two non-critical fails → unreachable (legacy preserved)
• critical fail wins over warn-on-others
• explicit `critical: false` treated as non-critical

All 29 tests pass: `npm test` → `29 pass | 0 fail`.

Verified against live testnet

Before (v0.4.0):
```
⚠ aggregator https://goggregator-test.unicity.network
✓ health
✓ json-rpc
✗ submit_commitment HTTP 401 Unauthorized
✓ get_inclusion_proof
Status: DEGRADED (3/4 checks passed)
```
exit code: 1 (e2e preflight gates that only fire on exit 2 miss this).

After (this PR):
```
❌ aggregator https://goggregator-test.unicity.network
✓ health
✓ json-rpc
✗ submit_commitment HTTP 401 Unauthorized
✓ get_inclusion_proof
Status: UNREACHABLE (3/4 checks passed)
```
exit code: 2 (preflight gate fires; tests fail cleanly with a real signal).

Scope intentionally tight

Other probes (nostr publish, ipfs add+fetch, fulcrum tx-index) likely have similar functional checks that deserve critical: true flagging. Deferred to follow-up — this PR scopes to the reported regression.

The looseness in get_inclusion_proof (accepts any `result` object even when the just-submitted commitment didn't land) is a separate concern noted in CHANGELOG. Also deferred.

Test plan

• `npm test` — 29/29 pass
• Live probe against goggregator-test reproduces UNREACHABLE + exit 2
• Exit code 0 verified for healthy services (`--only fulcrum`)
• Downstream e2e preflight scripts pick up the new exit-2 signal — needs a quick check of consumers (out of scope for this repo)

[gemini-code-assist]

Code Review

This pull request introduces a new 'faucet' probe to the infrastructure monitoring tool, enabling verification of the Unicity test faucet. It also improves the aggregator probe's reliability by introducing a 'critical' check status, ensuring that failures in core write paths (submit_commitment and get_inclusion_proof) correctly trigger an 'unreachable' verdict instead of 'degraded'. The reviewer suggested elevating several error conditions in the new faucet probe from 'degraded' to 'unreachable' to better reflect the impact of malformed API responses on service availability.

[gemini-code-assist]

The request check is the primary functional check for the faucet. If the response is not valid JSON, the service is effectively unusable for a client. This should be considered unreachable, not degraded. This aligns with the primary goal of this PR, which is to correctly classify critical failures.

Suggested change

	return finalize('degraded', 'response shape malformed');
	return finalize('unreachable', 'response shape malformed');

[gemini-code-assist]

An unexpected success field value indicates a malformed response from the faucet's API. This should be treated as a critical failure, making the service unreachable rather than degraded.

Suggested change

	return finalize('degraded', 'response shape malformed');
	return finalize('unreachable', 'response shape malformed');

[gemini-code-assist]

When the faucet API indicates a failure (success: false) but omits the error or message field, the response is incomplete and violates the expected contract. This points to a server-side issue that should render the service unreachable, not just degraded.

Suggested change

	return finalize('degraded', 'error field missing on rejection');
	return finalize('unreachable', 'error field missing on rejection');