fix: should skip region instead of failing

README.md

@@ -43,7 +43,7 @@ All plugin config fields are strings (agent gRPC `map<string,string>` contract).
 | `custodian_debug` | No | Boolean (`true`/`false`) toggle to pass `--debug` to Cloud Custodian. This increases Cloud Custodian diagnostic output on stderr. Default: `false`. |
 | `custodian_verbose` | No | Boolean (`true`/`false`) toggle to pass `-v` to Cloud Custodian. This increases Cloud Custodian diagnostic output on stderr. Default: `false`. |
 | `custodian_aws_api_trace` | No | Boolean (`true`/`false`) toggle to inject a temporary Python `sitecustomize.py` into the Custodian child process. Logs botocore API start/end/error events to stderr and `custodian-aws-api-trace.jsonl` in the check output directory. Default: `false`. |
-| `custodian_network_diagnostics` | No | Boolean (`true`/`false`) toggle to run Go DNS/TLS preflight probes for relevant AWS service endpoints before Custodian starts and log child process TCP socket snapshots while Custodian is running. Preflight failures stop the Custodian check before execution. If `aws_regions` is unset or only `all`, service-derived probes are skipped unless `custodian_network_diagnostic_endpoints` is configured. For AWS resource types not mapped to diagnostic services, diagnostics require explicit `custodian_network_diagnostic_endpoints`; otherwise the preflight fails. Default: `false`. |
+| `custodian_network_diagnostics` | No | Boolean (`true`/`false`) toggle to run Go DNS/TLS preflight probes for relevant AWS service endpoints before Custodian starts and log child process TCP socket snapshots while Custodian is running. DNS/TLS probe failures are logged as warnings and surfaced in evidence as `execution.warnings`. Concrete `aws_regions` are narrowed to regions with reachable resource service endpoints before Custodian runs; if none are reachable for a check, that check is skipped, later checks continue, and the accumulated diagnostic warnings are returned after reachable evidence is submitted. If no concrete `aws_regions` are configured, service-derived probes are skipped unless `custodian_network_diagnostic_endpoints` is configured. For AWS resource types not mapped to diagnostic services, diagnostics warn and continue unless explicit endpoints are configured. Invalid configured endpoints still fail before execution. Default: `false`. |
 | `custodian_network_diagnostic_endpoints` | No | Comma or whitespace separated list of additional endpoint hostnames, `host:port` values, or HTTPS URLs to DNS/TLS probe when `custodian_network_diagnostics` is enabled. Non-HTTPS URL schemes are rejected. Use this for AWS VPC endpoint DNS names such as `vpce-123.backup.eu-west-1.vpce.amazonaws.com`. Default: unset. |
 | `custodian_log_tail_during_run` | No | Boolean (`true`/`false`) toggle to tail discovered `custodian-run.log` artifacts during the monitor loop, not only after process exit. Default: `false`. |
 | `aws_regions` | No | Comma or whitespace separated AWS regions passed as repeated `--region` flags. Duplicate entries are removed while preserving order. Default: unset, which falls back to `--region all` for AWS checks. |