Move status inference out of observation layer into rules

The prober (collect.go) was calling inferApexDNSKEYStatus during
zone parsing, effectively making a SECURE/BOGUS judgement inside the
collection phase rather than the evaluation phase.  The DNS-rcode
fallback (z.Status = z.DNSStatus) was also applied at parse time.

checker/report.go

@@ -147,14 +147,15 @@ func buildBanner(data *DNSVizData, states []sdk.CheckState) *bannerView {
 			z = data.Zones[leaf]
 		}
 	}
-	st := statusFromGrok(z.Status)
+	eff := effectiveStatus(z)
+	st := statusFromGrok(eff)
 	if w := worstStatus(states); w > st {
 		st = w
 	}
 	return &bannerView{
 		Status: st.String(),
 		Leaf:   strings.TrimSuffix(leaf, "."),
-		LeafSt: emptyAsUnknown(z.Status),
+		LeafSt: emptyAsUnknown(eff),
 	}
 }
 
@@ -381,7 +382,7 @@ func renderChain(data *DNSVizData) string {
 }
 
 func writeZoneBlock(b *strings.Builder, name string, idx, total int, z ZoneAnalysis, raw map[string]any) {
-	st := statusFromGrok(z.Status)
+	st := statusFromGrok(effectiveStatus(z))
 	level := zoneLevelLabel(idx, total)
 
 	// Default-open zones with problems so the user sees them without
@@ -399,8 +400,9 @@ func writeZoneBlock(b *strings.Builder, name string, idx, total int, z ZoneAnaly
 	if level != "" {
 		fmt.Fprintf(b, `<span class="level">%s</span>`, html.EscapeString(level))
 	}
-	fmt.Fprintf(b, `<span class="badge s-%s">%s</span>`, st.String(), html.EscapeString(emptyAsUnknown(z.Status)))
-	if z.DNSStatus != "" && !strings.EqualFold(z.DNSStatus, z.Status) {
+	eff := effectiveStatus(z)
+	fmt.Fprintf(b, `<span class="badge s-%s">%s</span>`, st.String(), html.EscapeString(emptyAsUnknown(eff)))
+	if z.DNSStatus != "" && !strings.EqualFold(z.DNSStatus, eff) {
 		fmt.Fprintf(b, `<span class="badge ghost">DNS: %s</span>`, html.EscapeString(z.DNSStatus))
 	}
 	if n := len(z.Errors); n > 0 {