feat(sentinèlla): p2p topology with DNS peer discovery

- Replace central sentinel with watcher: each node polls peers discovered
  via a single DNS name with multiple A records (e.g. peers.sentinella.com)
- Auto-detect own IPs via hostname -I; SELF env var available as optional
  override for NAT/floating-IP setups
- Fix Basic Auth bug in router.sh: compare tok against AUTH_TOKENS instead
  of unset $USER/$PASS
- Rename sentinel binary to watcher; drop unused shellplot dep
- Add inetutils to watcher runtime deps for hostname -I
- Update NixOS module: replace sentinel options with watcher p2p options
  (peersDns, self, peersPort, peersScheme, pollingIntervalSec)
- Add sentinèlla test suite: probe-status-empty, probe-disk, watcher-state-file

package/sentinèlla/default.nix

@@ -1,4 +1,4 @@
-{ symlinkJoin, writeTextFile, socat, dash, hectic, curl, gawk, jq }:
+{ symlinkJoin, writeTextFile, socat, dash, hectic, curl, gawk, jq, inetutils }:
 let
   shell = "${dash}/bin/dash";
   bashOptions = [
@@ -31,19 +31,18 @@ let
     '';
   };
 
-  sentinel = hectic.writeShellApplication {
+  watcher = hectic.writeShellApplication {
     inherit shell bashOptions;
-    name = "sentinel";
-    runtimeInputs = [ hectic.shellplot curl jq ];
-
+    name = "watcher";
+    runtimeInputs = [ curl jq inetutils ];
     text = ''
       ${builtins.readFile ./log.sh}
       ${builtins.readFile ./colors.sh}
-      ${builtins.readFile ./sentinel.sh}
+      ${builtins.readFile ./watcher.sh}
     '';
   };
 in
 symlinkJoin {
   name = "sentinèlla";
-  paths = [ probe sentinel ];
+  paths = [ probe watcher ];
 }