Gate each remediation on the presence of the corresponding rule state
code rather than re-deriving from raw observation fields; falls back to
raw-data analysis when states are absent.
The binary doubles as its own healthcheck client via the SDK's
-healthcheck flag, so the probe works in the scratch image
(no shell, no curl, no wget).
