Add opt-in, driver-based WAN failover/CGNAT guard

[deviationist]

What

Adds an opt-in, driver-based guard that refuses to publish the detected public IP while the connection is on a WAN failover path / behind CGNAT (e.g. a 4G USB modem used as WAN backup). In that state the public IP is a shared carrier address that can't route back home — publishing it would point the domain at a dead address. The guard skips the update and leaves records on the last known-good IP instead.

Design

• Agnostic core — only hard couplings remain Node + Cloudflare. All router specifics live behind a driver.
• src/routers/ — registry + factory. No router block in config → feature is fully inert (opt-in).
• AsuswrtMerlin driver — authenticates to the router web UI and reads nvram via appGet.cgi (no new deps; built on Node http/https, handles self-signed certs + cookies). Pauses on any of: secondary-WAN failover (wan1_primary), private/CGNAT WAN IP (incl. 100.64.0.0/10), or WAN IP ≠ the router's own realip external-IP probe. Fails open if the router is unreachable, so a transient glitch never freezes DDNS.
• GuardState — de-dupes notifications so pause/resume emails fire only on a state transition.
• Router password supplied via an env var named in config (passwordEnv) — never stored in config.json.

Testing

• Live against a real AsusWRT router: healthy primary WAN → publishable: true.
• Stubbed branches: failover→pause, CGNAT-primary→pause, realip-mismatch→pause, healthy→publish, login-fail→fail-open. All correct.
• Opt-in verified inert when no router block is present.

Docs

README section + AGENTS.md. IPv6 / AAAA support noted as a TODO/Roadmap item (separate feature).