fix(soc-opt): never-fail SOCNormalizeFromList — broad except + status fallback

[scottbrumley]

What does this content do?

Adds a never-fail wrapper around SOCNormalizeFromList.main(). A hard failure in the normalize engine (bad list payload, missing category, JSON parse error, etc.) used to call return_error, which halts Upon Trigger and aborts the whole Foundation chain. This change wraps the entire normalization pass in a broad try/except and surfaces failure as a context flag + degraded war-room entry, while return_results cleanly so Upon Trigger keeps walking.

Content type

• Script / Automation
• Playbook / List / Correlation / Modeling / Dashboard / Layout / Incident Field

Target pack

SOC Framework Core

• soc-optimization-unified

Integration instances required

None — pure framework engine change.

Tested on tenant

Contrib tenant — tools/check_contribution.py ran end-to-end (validate → preflight → lint → pack_prep → contracts → shadow_mode → prep_docs → upload). Upload step passed.

What changed from the current version?

• Scripts/SOCNormalizeFromList/SOCNormalizeFromList.py:
  • Wraps the entire body of main() in a single broad try: / except Exception as e: block (# noqa: BLE001 — Upon Trigger contract requires broad catch).
  • Removes return_error from main() — it's the line that was halting Upon Trigger on engine failure.
  • On exception, writes SOCFramework.NormalizeStatus with { status: "fallback", lifecycle, category, list_name, error, error_type }, logs via demisto.error, posts a degraded war-room readable, and return_results so the playbook continues.
  • The 7 existing raise ValueError(...) calls in helper functions (load_list_section, _bands) are unchanged — they're now caught by the new broad except rather than bubbling out of main().
• Sits cleanly on top of feat/soc-opt #916's per-(lifecycle, category) dedup wiring; that block is now nested inside the new try: (same code, deeper indent).

Net failure mode: artifacts stay unwritten on engine failure (safe degrade — downstream sees missing keys rather than wrong keys). Foundation - Dedup and Foundation - Enrichment fall back to their list-backed defaults from SOCOptimizationConfig_V3.

Shadow mode

• This content has no actions that affect shadow mode (engine script, no remediation actions)

Dependencies on other framework content

• Builds on feat/soc-opt #916 (per-(lifecycle, category) dedup wiring) — the dedup-projection block is preserved verbatim, just nested inside the new try:.
• On degrade, depends on SOCOptimizationConfig_V3 defaults being present (already standard).

Known issues or limitations

None. Same behavior as before on the happy path; degraded continuation on the unhappy path. Verified by pack_prep + check_contribution (incl. contrib-tenant upload).