campaigns: auto-rollout catch-all pool gated by warmup day + live bounce rate

Replaces the panic-era burner-domain verification plan with an in-house
automatic catch-all rollout in the trucking/IFTA/UCR builders. Root-cause
classification of the 75k pre-DKIM-fix bounces showed ~55% were reputation/
auth (now fixed by DKIM signing) and only ~29% genuinely-dead mailboxes;
catch-all domains accept at RCPT time so they do not user-unknown bounce at
send, making a controlled in-house bleed safer than warming a separate burner.

catch_all_enabled() adds catch-all results only when warmup_day >=
CAMPAIGN_CATCH_ALL_MIN_DAY (21) AND the recent 2-day live bounce rate is below
CAMPAIGN_CATCH_ALL_MAX_BOUNCE_PCT (8%) on a >=300-sent sample; auto-reverts to
the clean smtp_valid/send_confirmed pool on the next run if bounces spike.
Short window so a past disaster cannot block the rollout forever and a fresh
spike trips fast. CAMPAIGN_INCLUDE_CATCH_ALL=1/0 still hard-overrides.

USABLE_FILTER (static) -> usable_filter() (per-run, memoized, one DB probe).
IFTA/UCR SELECT_SQL -> _select_sql() so tc.usable_filter() resolves at call
time, not import. 13 logic unit tests pass; live dry-run decision = OFF
(day 15 < 21 and recent 2d bounce 42% from the aging-out Jun-16 disaster).

docs/campaign-deliverability-plan.md

@@ -86,9 +86,35 @@ the cleaned output.
 
 - [x] Fix the PW trucking send filter (drop `mx_unreachable`; recovery mode).
 - [x] Confirm healthcare unaffected.
-- [ ] Add `send_confirmed` / `hard_bounced` result handling to the campaign
-      filter + a writeback path from bounce processing.
-- [ ] Stand up the burner verification domain + isolated MTA identity.
-- [ ] Build the verification-send + bounce-writeback worker.
-- [ ] Re-verify the `catch_all_domain` + `mx_unreachable` pools through the burner
-      to grow the PW-sendable list.
+- [x] Add `send_confirmed` / `hard_bounced` result handling to the campaign
+      filter + a writeback path from bounce processing (`burner_list_verify.py`).
+- [x] **Catch-all auto-rollout instead of the burner domain (2026-06-18).** After
+      the DKIM signing fix landed, a root-cause classification of the 75k
+      pre-fix bounces showed the damage was ~55% reputation/auth (which DKIM
+      fixes) and only ~29% genuinely-dead mailboxes. The catch-all pool accepts
+      at RCPT time by definition, so it does not user-unknown bounce at send
+      time -- it is far safer to bleed directly in warmed batches than to stand
+      up + warm a whole separate burner domain/IP/SPF/DKIM identity. So the
+      catch-all pool is now gated by an **automatic in-house rollout** in
+      `build_trucking_campaigns.py` (`catch_all_enabled()`):
+        - enables only when `warmup_day() >= CAMPAIGN_CATCH_ALL_MIN_DAY` (21)
+          AND the **recent** (2-day) live campaign bounce rate is below
+          `CAMPAIGN_CATCH_ALL_MAX_BOUNCE_PCT` (8%) on a trustworthy sample
+          (>= 300 sent);
+        - **auto-reverts** to the clean `smtp_valid`/`send_confirmed` pool on the
+          next run if bounces spike back above the ceiling;
+        - a deliberately SHORT window so a past disaster (the Jun-16 ~45% 7-day
+          rate) cannot block the rollout forever, and a fresh spike trips it fast;
+        - `CAMPAIGN_INCLUDE_CATCH_ALL=1/0` still hard-overrides the auto decision.
+      Applied uniformly to trucking + IFTA + UCR builders (`tc.usable_filter()`).
+      The bounce-watcher continues to auto-suppress any individual hard bounces
+      in real time, so PW's own bounce rate stays bounded during the rollout.
+- [ ] ~~Stand up the burner verification domain + isolated MTA identity.~~
+      **Dropped** -- superseded by the catch-all auto-rollout above (the burner
+      was a panic-era design from before the DKIM fix + per-subscriber bounce
+      tracking made an in-house controlled rollout safe). The `mx_probe_blocked`
+      consumer-ISP pool (438k, highest dead-mailbox risk) is the only case where
+      a burner would still help; revisit only if that pool is ever needed.
+- [x] ~~Build the verification-send + bounce-writeback worker.~~ Not needed for
+      catch-all (see above). `burner_list_verify.py` remains available if the
+      `mx_probe_blocked` pool is ever scrubbed via a burner.