feat!(alertd/doctor): replace per-check healthy bool with result enum

[passcod]

🤖 Replaces the per-check healthy: bool (plus skipped/ad-hoc flags) in the doctor wire format with a single result enum, and distinguishes broken healthchecks from unhealthy deployments.

Wire shape

Per-check entries in health[] now carry:

{ "check": "database", "result": "passed" }

with result: "passed" | "warning" | "failed" | "broken" | "skipped" — a proper sum type, exhaustively matchable on both sides:

• passed — check ran, system OK
• warning — check ran, system degraded but not fatally
• failed — check ran, system under test is unhealthy
• broken — the check itself errored/misconfigured; says nothing about the system
• skipped — precondition not met; check didn't run

The top-level healthy flag is dropped from the status payload entirely.

Broken healthchecks

SQL-backed checks previously reported any query error as FAIL, so a stale query (dropped column, json/jsonb drift, missing function) was indistinguishable from a genuine alert condition and blamed the deployment. Query errors with SQLSTATE class 42 ("syntax error or access rule violation") now report as broken via a shared query_error_check helper applied to all SQL-backed checks; other database errors still fail. Broken degrades the overall result but is not fatal.

Other changes

• warning goes on the wire as its own value rather than collapsing into healthy: false
• checks that returned pass-with-a-skipped-flag (fhir_jobs, sync_sessions, tamanu_service) now return proper skips
• overall_from_payload tiers on the per-check results: any failed → FAILING; any warning/broken → DEGRADED
• the CLI renders broken checks as BRKN and counts them in the summary line

Note

The live-spec contract tests now run in a dedicated "Canopy contract" CI job, excluded from the platform test jobs. That job is red on status_request_matches_spec until canopy deploys the matching shape — live canopy's spec still requires per-check healthy.