scaffold: 4 new module dirs + registry/Makefile wiring (stubs)

Pre-scaffolding for the next batch (CVE-2023-32233, CVE-2023-4622,
CVE-2022-25636, CVE-2023-0179). Each module ships as a 21-line
stub returning PRECOND_FAIL; parallel agents fill in the real
detect/exploit/--full-chain implementations.

This commit keeps registry.h / iamroot.c / Makefile in one place
so the 4 parallel agents don't collide on shared-file edits — they
each own a single iamroot_modules.c.

Build clean on Debian 6.12.86; --list shows all 24 modules
including the 4 new stubs.

modules/af_unix_gc_cve_2023_4622/iamroot_modules.c

@@ -0,0 +1,23 @@
+/* af_unix_gc_cve_2023_4622 — STUB pending agent implementation. */
+#include "iamroot_modules.h"
+#include "../../core/registry.h"
+
+static iamroot_result_t af_unix_gc_detect(const struct iamroot_ctx *ctx)
+{
+    (void)ctx;
+    return IAMROOT_PRECOND_FAIL;
+}
+
+const struct iamroot_module af_unix_gc_module = {
+    .name = "af_unix_gc",
+    .cve = "CVE-2023-4622",
+    .summary = "AF_UNIX garbage-collector race UAF (Lin Ma) — stub pending implementation",
+    .family = "af_unix",
+    .kernel_range = "2.0 ≤ K < 6.5",
+    .detect = af_unix_gc_detect,
+    .exploit = NULL, .mitigate = NULL, .cleanup = NULL,
+    .detect_auditd = NULL, .detect_sigma = NULL,
+    .detect_yara = NULL,   .detect_falco = NULL,
+};
+
+void iamroot_register_af_unix_gc(void) { iamroot_register(&af_unix_gc_module); }

modules/af_unix_gc_cve_2023_4622/iamroot_modules.h

@@ -0,0 +1,12 @@
+/*
+ * af_unix_gc_cve_2023_4622 — IAMROOT module registry hook
+ */
+
+#ifndef AF_UNIX_GC_IAMROOT_MODULES_H
+#define AF_UNIX_GC_IAMROOT_MODULES_H
+
+#include "../../core/module.h"
+
+extern const struct iamroot_module af_unix_gc_module;
+
+#endif