Diagnose multi-hop tunnels layer by layer

When a container fails to reach a service tunneled across multiple hops, a single curl from inside the container hides which hop is broken. Numbered curls from each layer (local server, remote tunnel endpoint, gateway-bound relay, container-to-relay) localize the failure in one shot. Bake those checks into a test subcommand of the orchestration script so revalidating is a single command after every restart.