fix(integration): verify probes :80 without following redirects

Accept caddy's 308 on :80 as proof the DNAT+forward path is alive; don't follow into https (tls internal has no cert for a bare-IP request). This load-bearing end-to-end check is what caught the br-+/br-* nftables-wildcard bug that the string-presence assert missed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

tests/integration/verify.yml

@@ -1,6 +1,6 @@
 ---
 # Integration verify (ADR-025). Outcome-based: proves Docker forwarding survives the
-# reboot. The load-bearing check probes the VM's published :443 FROM the controller
+# reboot. The load-bearing check probes the VM's published :80 FROM the controller
 # (ubongo) — if base's forward-drop killed DNAT, this times out (the FRICTION #1 bug).
 - name: Verify the rebooted host
   hosts: all
@@ -27,13 +27,16 @@
           forward chain is pure drop — container forwarding will die on reboot
           (FRICTION 2026-06-17 #1). docker_host container-forward drop-in missing.
 
-    - name: Published HTTPS port answers from the controller (DNAT + forward alive)
+    - name: Published port answers from the controller (DNAT + forward alive)
       delegate_to: localhost
       become: false
       ansible.builtin.uri:
-        url: "https://{{ ansible_host }}/"
+        # Probe :80 (plain HTTP) — any answer proves the published-port DNAT + forward path
-        validate_certs: false
+        # is alive. Don't follow caddy's HTTP->HTTPS redirect (its `tls internal` has no
-        status_code: [200, 308, 404, 502, 503]
+        # cert for a bare-IP HTTPS request); the 308 itself proves the path works.
+        url: "http://{{ ansible_host }}/"
+        follow_redirects: none
+        status_code: [200, 301, 308, 404, 502, 503]
         timeout: 10
       register: _probe
       retries: 5