Replaced the unauthenticated SeaweedFS probe (which accepted any HTTP
< 500 as passing) with a signed S3 ListBuckets request using AWS
Signature V4. Credentials are read from the seaweedfs-s3-credentials
K8s secret; a 200 response confirms authentication is working.
Updated tests to cover missing creds, 403 bad-creds, 502 gateway error,
and URLError cases.
All checks now run concurrently via ThreadPoolExecutor so total time
is bounded by the slowest single check, not their sum.
Timeout reduced from 10s to 5s per check. SeaweedFS check switched
from kubectl exec (wget not reliably available in container) to an
HTTP probe against the external S3 endpoint (https://s3.DOMAIN/) —
consistent with the "use external URLs for publicly facing services"
requirement. 403 is treated as healthy (unauthenticated S3 response).
Output now mirrors sunbeam status (namespace headers, checks indented
below). Any uncaught exception from a check is caught in cmd_check
and displayed as a failed check instead of crashing.
Also fix _http_get: TimeoutError and other raw OSError/SSL errors that
Python 3.13 doesn't always wrap in URLError are now normalized to
URLError before re-raising, so each check function's URLError handler
reliably catches all network failures.
