Harden rule health checks

tests/test_rules_unit.sh

@@ -60,11 +60,22 @@ reset_mock_state() {
 
 reset_mock_state
 uuid_v4=$(cmd_add_batch tcp 8080 127.0.0.1 80 4 'web service')
+line_v4=$(storage_get "${uuid_v4}")
 assert_eq '1' "$(storage_count)" 'cmd_add_batch should persist one rule'
 assert_eq '3' "$(grep -Ec '^iptables ' "${IPTABLES_MOCK_LOG}")" 'tcp/ipv4 add should emit three iptables commands'
-assert_contains "$(storage_get "${uuid_v4}")" "uuid=${uuid_v4}" 'stored line should contain generated uuid'
+assert_contains "${line_v4}" "uuid=${uuid_v4}" 'stored line should contain generated uuid'
 assert_eq '1' "$(grep -Ec 'persist-mock\.sh save' "${PERSIST_MOCK_LOG}")" 'successful add should trigger persist_save'
 assert_contains "$(ipt_find_by_uuid "${uuid_v4}")" "MGMT:${uuid_v4}" 'ipt_find_by_uuid should locate saved mock rules'
+assert_eq '✓' "$(rule_health_mark "${line_v4}")" 'healthy runtime rule should show ok marker'
+
+"${IPTABLES_BIN}" -t nat -D PREROUTING \
+  -p tcp --dport 8080 \
+  -j DNAT --to-destination 127.0.0.1:80 \
+  -m comment --comment "MGMT:${uuid_v4}"
+assert_contains "$(ipt_find_by_uuid "${uuid_v4}")" "MGMT:${uuid_v4}" 'partial runtime loss should still leave uuid-tagged rules'
+assert_eq '!' "$(rule_health_mark "${line_v4}")" 'partial runtime loss should mark rule unhealthy'
+list_output=$(cmd_list 0)
+[[ ${list_output} =~ [[:space:]]![[:space:]] ]] || fail 'cmd_list should expose degraded health marker'
 
 reset_mock_state
 uuid_both=$(cmd_add_batch both 5353 '127.0.0.1,::1' 53 both 'dual stack dns')