Add CT source observability and retry attribution

[auspexlabs]

Apologies for the earlier PR on this. I closed the first attempt because it was too broad; this is the smaller focused patch after letting the fork bake in live operation longer.

This makes the CT source identity already present in log-list discovery visible in Prometheus metrics, while preserving the existing human log labels.

The current code already parses log_id from RFC6962 and tiled/static CT catalog entries and dedupes discovered logs by that identity. This patch adds a stable metrics join key for that same source identity:

• log: existing human-readable label, preserved for compatibility
• source_id: stable machine-oriented label:
  • ctlog:<log_id> when a CT log ID is available
  • url:<normalized_url> for local/id-less custom sources

This avoids replacing existing log selectors while still making mixed RFC6962/static-CT behavior easier to inspect by source.

Changes:

• add certstream_ct_runtime_log_info
• keep existing per-log log labels and add source_id
• add CT log rate-limit counters with log_type
• add RFC6962 empty-response counter
• label static-CT checkpoint error increments with log + source_id
• centralize bounded Retry-After parsing for watcher 429 paths

Validation:

• cargo test
• git diff --check