Separate observation from evaluation in blacklist sources

Each source's Query() method previously set r.Listed and r.Severity,
embedding verdict logic inside the prober. Evaluation now lives in a
dedicated Evaluate(SourceResult) (bool, string) method per source,
keeping Query() as pure observation.

A package-level EvaluateResult() helper looks up the source by ID and
delegates to its Evaluate method; rules.go, report.go, types.go, and
provider.go all call this instead of reading pre-set r.Listed/r.Severity
values. An unknownSource sentinel handles results whose source is no
longer registered.

checker/source.go

@@ -48,6 +48,13 @@ type Source interface {
 	// generic report wraps it with the title bar and severity styling.
 	// Called only when SourceResult.Listed is true.
 	Diagnose(res SourceResult) Diagnosis
+
+	// Evaluate inspects an already-collected SourceResult and returns
+	// whether the domain is considered listed and at what severity.
+	// Implementations must read observation fields only (Evidence,
+	// Reasons, Error, Enabled, BlockedQuery, Details) and must never
+	// consult r.Listed or r.Severity.
+	Evaluate(r SourceResult) (listed bool, severity string)
 }
 
 // DetailRenderer is an optional interface a Source can implement when
@@ -144,3 +151,18 @@ func Sources() []Source {
 	copy(out, registry)
 	return out
 }
+
+// EvaluateResult looks up the source that produced r from the registry
+// and delegates to its Evaluate method. Returns (false, "") when the
+// source is not found — a safe default that never promotes a stale
+// Listed=true value.
+func EvaluateResult(r SourceResult) (bool, string) {
+	registryMu.RLock()
+	defer registryMu.RUnlock()
+	for _, s := range registry {
+		if s.ID() == r.SourceID {
+			return s.Evaluate(r)
+		}
+	}
+	return false, ""
+}