feat(infra)(#321): proxy serves trust-base + faucet surfaces verified nametag

[vrogojin]

Summary

Closes the loop on self-hosted nametag minting (xaleava-style use case from #321). With the changes in PRs #323 + #324 + js-faucet #3, the faucet can boot against our aggregator but the nametag mint silently failed because:

1. The SDK calls oracle.getTrustBase() during mint
2. UnicityAggregatorProvider.getTrustBase() returns null unless the trust base was loaded at initialize()
3. The trust base loader only runs when !skipVerification && trustBaseLoader — so a wallet that wants to use a self-hosted aggregator HAS to also supply a matching trust-base URL

This PR makes that possible by serving our trust-base from the aggregator proxy itself.

Two changes

1. aggregator-proxy serves /.well-known/trust-base.json

docker-compose.yml bind-mounts ./data/genesis:/etc/aggregator-config:ro into agg-proxy. nginx.conf.template adds a location that aliases the trust-base.json file from that mount. Wallets pointed at this aggregator can now download the matching trust base over HTTPS.

/health also picks up the pass-through fix from #323 (which has to land in the same commit to avoid a textual conflict).

2. render-discovery.sh surfaces the verified nametag

The discovery doc was showing nametag: null even after a successful mint. The watcher now tails for the nametag_verified log line (emitted by js-faucet AFTER mint+resolve completes) and rewrites identity.json with the verified nametag.

registering_nametag is NOT used as a signal because it fires BEFORE the mint commits — it would surface unverified state.

Verified live

$ curl -s https://aggregator-unicity-dev.dyndns.org/.well-known/trust-base.json | jq -c '{networkId, rootNode: .rootNodes[0].nodeId}'
{"networkId":3,"rootNode":"16Uiu2HAmCRn8..."}

$ docker exec agg-mongodb mongosh --quiet --eval 'db.commitments.countDocuments()'
1

$ curl -s https://faucet-unicity-dev.dyndns.org/.well-known/faucet.json | jq -c '{nametag, chain_pubkey}'
{"nametag":"xaleava","chain_pubkey":"02d41a68efdf70663b97582b35b89dd27b4133b68621e9664c6fadf2974925dc14"}

NAMETAG_BINDING (kind 30078) event for xaleava verified on our relay.

Companion PRs

• sphere-sdk fix(infra)(#321): relay rejects all publishes — empty allowlist root cause #324 — relay allowlist fix + run-faucet.sh env passthrough
• js-faucet Direct Messages #3 — SPHERE_AGGREGATOR_URL + SPHERE_TRUSTBASE_URL env overrides
• (probe-side schema fix is a separate concern; not blocking this)

Test plan

• ./run-aggregator.sh --fresh mints new genesis; proxy serves the new trust-base on next reload
• curl https://<agg>/.well-known/trust-base.json returns the correct networkId + rootNodeId
• With SPHERE_TRUSTBASE_URL pointing at that URL and SPHERE_AGGREGATOR_SKIP_VERIFICATION=false, faucet completes nametag mint (1 commitment lands in mongo)
• Faucet discovery doc shows nametag: "xaleava" post-mint