feat(sentinèlla): p2p topology with DNS peer discovery

- Replace central sentinel with watcher: each node polls peers discovered
  via a single DNS name with multiple A records (e.g. peers.sentinella.com)
- Auto-detect own IPs via hostname -I; SELF env var available as optional
  override for NAT/floating-IP setups
- Fix Basic Auth bug in router.sh: compare tok against AUTH_TOKENS instead
  of unset $USER/$PASS
- Rename sentinel binary to watcher; drop unused shellplot dep
- Add inetutils to watcher runtime deps for hostname -I
- Update NixOS module: replace sentinel options with watcher p2p options
  (peersDns, self, peersPort, peersScheme, pollingIntervalSec)
- Add sentinèlla test suite: probe-status-empty, probe-disk, watcher-state-file

package/sentinèlla/router.sh

@@ -92,6 +92,8 @@ require_auth=false
 # --- read request & headers ---
 IFS= read -r req || exit 0
 cr=$(printf '\r')
+tok=""
+auth_ok=false
 while IFS= read -r line; do
   [ -z "$line" ] && break
   [ "$line" = "$cr" ] && break
@@ -99,8 +101,6 @@ while IFS= read -r line; do
     "Authorization: Basic "*) 
         tok=${line#Authorization: Basic }
         tok=$(printf '%s' "$tok" | tr -d '\r\n')
-        expect=$(base64 encode "$USER:$PASS")
-        [ "$tok" = "$expect" ] && auth_ok=true
         ;;
   esac
 done
@@ -117,7 +117,6 @@ unauth() {
   printf '%s' "$body"
 }
 
-auth_ok=false
 if $require_auth; then
   for t in $AUTH_TOKENS; do
     [ "$tok" = "$t" ] && auth_ok=true && break