C13: CLI flags --deep-fingerprint + --audit-tls

[filipeforattini]

Parent

#46

What to build

Extend crawlex fingerprint <url> with two opt-in flags. --deep-fingerprint activates Fingerprinter::analyze_cold (DNS + ASN) and merges the resulting Detections into the printed report. --audit-tls activates the FP-B external oracle (tls.peet.ws by default, configurable via env var CRAWLEX_TLS_ORACLE), captures our outbound TLS handshake live, and includes the oracle's view of our handshake plus the comparison result in the JSON output.

Both flags are off by default — the basic crawlex fingerprint <url> behavior from C12 is unchanged.

Acceptance criteria

• --deep-fingerprint flag triggers analyze_cold and merges results into the report
• --audit-tls flag triggers oracle fetch + comparison; result lands in report.coherence and a new oracle_proof field on the printed JSON
• Default oracle endpoint configurable via CRAWLEX_TLS_ORACLE env var
• Oracle failure is non-fatal — emits oracle_proof: { error: "..." } and continues
• New tests cover both flags against mocked DNS + RDAP and a mocked oracle endpoint
• --help output documents both flags
• NDJSON regression byte-stable

Blocked by

• C7: Fingerprinter::analyze_cold dispatch (DNS + RDAP) #53
• C10: Coherence wired with real SelfFingerprint #57
• C12: CLI subcommand crawlex fingerprint <url> #58