Address publication review feedback

Add the AGPL LICENSE file and a deployment-security note in the README
to clarify that the unauthenticated /collect endpoint must run on a
trusted network.

Fix the IPv6 reachability rule so it consults the IP actually probed:
PingTargetResult now carries ResolvedIP populated from pinger.IPAddr(),
which lets the rule classify hostname targets correctly instead of
always reporting "No IPv6 target pinged".

Tighten error handling: ipsFromService now propagates JSON errors,
ExtractMetrics wraps decode failures, the count option returns an
explicit error when out of range instead of silently clamping, and the
"all pings failed" message no longer concatenates every per-target
error. Threshold validation is factored into validateThresholdPair and
shared between the RTT and packet-loss rules.

Add unit tests covering address resolution, threshold validation, and
each rule's evaluation paths.

checker/types.go

@@ -29,9 +29,15 @@ type PingData struct {
 	Targets []PingTargetResult `json:"targets"`
 }
 
-// PingTargetResult contains the ping statistics for a single IP address.
+// PingTargetResult contains the ping statistics for a single target.
+//
+// Address is the user-supplied label (hostname or IP). ResolvedIP is the
+// IP that was actually probed; rules that need to reason about address
+// family (e.g. IPv6 reachability) must consult ResolvedIP because Address
+// can be a hostname.
 type PingTargetResult struct {
 	Address    string  `json:"address"`
+	ResolvedIP string  `json:"resolved_ip,omitempty"`
 	RTTMin     float64 `json:"rtt_min"`
 	RTTAvg     float64 `json:"rtt_avg"`
 	RTTMax     float64 `json:"rtt_max"`