Harden degraded-mode contract coverage

[ErenAri]

Summary

• add an audit-fallback tracing regression that verifies missing network hooks report AUDIT_FALLBACK, enforce_capable=false, and NETWORK_HOOK_UNAVAILABLE
• require silent partial attach, network/IMA fail-closed, no-pretend capability report, and capability artifact tests in the failure-mode contract
• update production readiness, quality gates, and posture-contract docs to match the enforced degraded-mode guarantees

Validation

• python3 tests/check_failure_modes_contract.py tests/test_policy.cpp tests/test_crash_policy.cpp tests/test_commands.cpp tests/test_metrics.cpp tests/test_tracing.cpp
• clang-format --dry-run --Werror tests/test_tracing.cpp
• cmake --build build --target aegisbpf_test -j$(nproc)
• ./build/aegisbpf_test --gtest_filter='TracingTest.DaemonRunRejectsSilentPartialAttachContract:TracingTest.DaemonRunFailsClosedWhenNetworkPolicyHooksMissing:TracingTest.DaemonRunFailsClosedWhenImaAppraisalRequiredButUnavailable:TracingTest.DaemonRunAuditFallbackReportsNetworkBlockerWithoutPretendEnforce:TracingTest.DaemonRunWritesCapabilityReportArtifact:TracingTest.DaemonRunStrictDegradeFailsWhenEnforceFallsBack'
• ctest --test-dir build --output-on-failure -j$(nproc)
• git diff --check