feat: HTTPS auto-normalization; robust TLS intel UI; global rules state; clean logging; preload

- Add SSL/TLS intelligence pipeline:
  - crt.sh lookup with expired-filtering and root-domain wildcard resolution
  - live TLS version/cipher probe with weak/legacy flags and probe notes
- UI: card + matrix rendering, raw JSON toggle, and host/wildcard cert lists
- Front page: checkbox to optionally fetch certificate/CT data

- Introduce `URLNormalizer` with punycode support and typo repair
  - Auto-prepend `https://` for bare domains (e.g., `google.com`)
  - Optional quick HTTPS reachability + `http://` fallback
- Provide singleton via function-cached `@singleton_loader`:
  - `get_url_normalizer()` reads defaults from Settings (if present)

- Standardize function-rule return shape to `(bool, dict|None)` across
  `form_*` and `script_*` rules; include structured payloads (`note`, hosts, ext, etc.)
- Harden `FunctionRuleAdapter`:
  - Coerce legacy returns `(bool)`, `(bool, str)` → normalized outputs
  - Adapt non-dict inputs to facts (category-aware and via provided adapter)
  - Return `(True, dict)` on match, `(False, None)` on miss
  - Bind-time logging with file:line + function id for diagnostics
- `RuleEngine`:
  - Back rules by private `self._rules`; `rules` property returns copy
  - Idempotent `add_rule(replace=False)` with in-place replace and regex (re)compile
  - Fix AttributeError from property assignment during `__init__`

- Replace hidden singleton factory with explicit builder + global state:
  - `app/rules/factory.py::build_rules_engine()` builds and logs totals
  - `app/state.py` exposes `set_rules_engine()` / `get_rules_engine()` as the SOF
  - `app/wsgi.py` builds once at preload and publishes via `set_rules_engine()`
- Add lightweight debug hooks (`SS_DEBUG_RULES=1`) to trace engine id and rule counts

- Unify logging wiring:
  - `wire_logging_once(app)` clears and attaches a single handler chain
  - Create two named loggers: `sneakyscope.app` and `sneakyscope.engine`
  - Disable propagation to prevent dupes; include pid/logger name in format
- Remove stray/duplicate handlers and import-time logging
- Optional dedup filter for bursty repeats (kept off by default)

- Gunicorn: enable `--preload` in entrypoint to avoid thread races and double registration
- Documented foreground vs background log “double consumer” caveat (attach vs `compose logs`)

- Jinja: replace `{% return %}` with structured `if/elif/else` branches
- Add toggle button to show raw JSON for TLS/CT section

- Consumers should import the rules engine via:
  - `from app.state import get_rules_engine`
- Use `build_rules_engine()` **only** during preload/init to construct the instance,
  then publish with `set_rules_engine()`. Do not call old singleton factories.

- New/changed modules (high level):
  - `app/utils/urltools.py` (+) — URLNormalizer + `get_url_normalizer()`
  - `app/rules/function_rules.py` (±) — normalized payload returns
  - `engine/function_rule_adapter.py` (±) — coercion, fact adaptation, bind logs
  - `app/utils/rules_engine.py` (±) — `_rules`, idempotent `add_rule`, fixes
  - `app/rules/factory.py` (±) — pure builder; totals logged post-registration
  - `app/state.py` (+) — process-global rules engine
  - `app/logging_setup.py` (±) — single chain, two named loggers
  - `app/wsgi.py` (±) — preload build + `set_rules_engine()`
  - `entrypoint.sh` (±) — add `--preload`
  - templates (±) — TLS card, raw toggle; front-page checkbox

Closes: flaky rule-type warnings, duplicate logs, and multi-worker race on rules init.

app/static/style.css

@@ -350,6 +350,11 @@ details pre.code {
   border: 1px solid #d9e2ec;
 }
 
+.checkbox-row {
+  display: flex; align-items: center; gap: .5rem;
+  margin: .5rem 0 1rem;
+}
+
 /* ==========================================================================
    11) Sticky Top Jump Navigation
    -------------------------------------------------------------------------- */
@@ -395,6 +400,52 @@ details pre.code {
   box-shadow: inset 0 0 0 1px rgba(59,130,246,.25);
 }
 
+/* --- Titles and structure --- */
+.card-title { margin: 0 0 .5rem; font-size: 1.1rem; }
+.section { margin-top: 1rem; }
+.section-header { display: flex; gap: .5rem; align-items: baseline; flex-wrap: wrap; }
+
+/* --- Divider --- */
+.divider { border: 0; border-top: 1px solid #1f2a36; margin: 1rem 0; }
+
+/* --- Badges / Chips --- */
+.badge { display: inline-block; padding: .15rem .5rem; border-radius: 999px; font-size: .75rem; border: 1px solid transparent; }
+.badge-ok { background: #0e3820; border-color: #2c6e49; color: #bff3cf; }
+.badge-warn { background: #3d290e; border-color: #9a6b18; color: #ffe2a8; }
+.badge-danger { background: #401012; border-color: #a33a42; color: #ffc1c5; }
+.badge-muted { background: #111826; border-color: #273447; color: #9fb0c3; }
+
+.chip { display: inline-block; padding: .1rem .4rem; border: 1px solid #273447; border-radius: 8px; font-size: .75rem; margin-right: .25rem; }
+.chip-warn { border-color: #9a6b18; }
+
+/* --- Text helpers --- */
+.muted { color: #9fb0c3; }
+.small { font-size: .8rem; }
+.mono { font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", monospace; }
+.prewrap { white-space: pre-wrap; }
+
+/* --- Lists / details --- */
+.list { margin: .5rem 0; padding-left: 1.1rem; }
+.details summary { cursor: pointer; }
+
+/* --- Grid --- */
+.grid.two { display: grid; grid-template-columns: 1fr; gap: 1rem; }
+@media (min-width: 900px) {
+  .grid.two { grid-template-columns: 1fr 1fr; }
+}
+
+/* --- TLS Matrix --- */
+.tls-matrix { border: 1px solid #1f2a36; border-radius: 10px; overflow: hidden; }
+.tls-matrix-row { display: grid; grid-template-columns: 120px 140px 1fr 100px; gap: .5rem; align-items: center;
+  padding: .5rem .75rem; border-bottom: 1px solid #1f2a36; }
+.tls-matrix-row:last-child { border-bottom: none; }
+
+.tls-cell.version { font-weight: 600; }
+.tls-cell.status {}
+.tls-cell.cipher {}
+.tls-cell.latency { text-align: right; }
+
+
 /* ==========================================================================
    12) Responsive Tweaks
    -------------------------------------------------------------------------- */