fix(attest): block missing-fingerprint bypass and tighten clock samples

[liu971227-sys]

Summary\n- treat missing fingerprint payload as failed fingerprint attestation (zero-reward path)\n- make /attest/submit default ingerprint_passed=false unless validation succeeds\n- require minimum clock_drift.data.samples >= 32 when clock_drift.passed=true\n- return ingerprint_reason in attestation response for clearer operator diagnostics\n\n## Why\nLive-node red-team testing showed:\n- missing ingerprint could still produce ingerprint_passed=true + full enrollment weight\n- synthetic clock drift payloads with tiny sample counts could pass\n\nThis patch closes the primary bypass by ensuring absent fingerprint data can no longer be treated as trusted/pass state.\n\n## Verification\n- python -m py_compile node/rustchain_v2_integrated_v2.2.1_rip200.py\n- python -m unittest node.tests.test_payout_preflight -v\n\n## Related\n- rustchain-bounties#248

[liu971227-sys]

Review Tier Label Gate failed due to missing BCOS tier label.\n\nThis PR is a focused attestation hardening fix (missing fingerprint bypass + clock sample floor), so BCOS-L1 appears appropriate.\n\nCould a maintainer please add BCOS-L1 (or �cos:l1) and re-run checks?

[larryjiang-star]

Thanks for closing the missing-fingerprint bypass and adding explicit fingerprint_reason in the API response — this is a strong security hardening step.

I found one correctness issue introduced by this patch:

1. fingerprint_reason can become inconsistent with fingerprint_passed after server-side VM check

• In submit_attestation(), if validate_fingerprint_data(...) passes, fingerprint_reason may be set to a pass-like reason.
• Later, check_vm_signatures_server_side(...) can flip fingerprint_passed = False, but fingerprint_reason is not updated.
• Since this PR now returns fingerprint_reason in JSON, callers can receive contradictory state (fingerprint_passed=false with stale reason), which can break operator diagnostics and downstream policy automation.

Suggested fix (same block where fingerprint_passed is forced false):

if not vm_ok:
    print(f"[VM_CHECK] Miner: {miner} - VM DETECTED (zero rewards): {vm_reason}")
    fingerprint_passed = False
    fingerprint_reason = f"server_vm_check_failed:{vm_reason}"

Optional follow-up: add a regression test asserting response consistency whenever server-side VM check overrides earlier fingerprint result.

[liu971227-sys]

Addressed review feedback from @larryjiang-star in 9c508d5:\n\n- when server-side VM check overrides attestation result, ingerprint_reason is now also updated to server_vm_check_failed:\n- this keeps response state consistent with ingerprint_passed=false\n\nLocal verification:\n- python -m py_compile node/rustchain_v2_integrated_v2.2.1_rip200.py\n- python -m pytest tests/test_fingerprint.py -q (8 passed)