scaffold: 4 new module dirs + registry/Makefile wiring (stubs)

Pre-scaffolding for the next batch (CVE-2023-32233, CVE-2023-4622,
CVE-2022-25636, CVE-2023-0179). Each module ships as a 21-line
stub returning PRECOND_FAIL; parallel agents fill in the real
detect/exploit/--full-chain implementations.

This commit keeps registry.h / iamroot.c / Makefile in one place
so the 4 parallel agents don't collide on shared-file edits — they
each own a single iamroot_modules.c.

Build clean on Debian 6.12.86; --list shows all 24 modules
including the 4 new stubs.

modules/nft_fwd_dup_cve_2022_25636/iamroot_modules.c

@@ -0,0 +1,23 @@
+/* nft_fwd_dup_cve_2022_25636 — STUB pending agent implementation. */
+#include "iamroot_modules.h"
+#include "../../core/registry.h"
+
+static iamroot_result_t nft_fwd_dup_detect(const struct iamroot_ctx *ctx)
+{
+    (void)ctx;
+    return IAMROOT_PRECOND_FAIL;
+}
+
+const struct iamroot_module nft_fwd_dup_module = {
+    .name = "nft_fwd_dup",
+    .cve = "CVE-2022-25636",
+    .summary = "nft_fwd_dup_netdev_offload heap OOB (Aaron Adams) — stub pending implementation",
+    .family = "nf_tables",
+    .kernel_range = "5.4 ≤ K < 5.18",
+    .detect = nft_fwd_dup_detect,
+    .exploit = NULL, .mitigate = NULL, .cleanup = NULL,
+    .detect_auditd = NULL, .detect_sigma = NULL,
+    .detect_yara = NULL,   .detect_falco = NULL,
+};
+
+void iamroot_register_nft_fwd_dup(void) { iamroot_register(&nft_fwd_dup_module); }

modules/nft_fwd_dup_cve_2022_25636/iamroot_modules.h

@@ -0,0 +1,12 @@
+/*
+ * nft_fwd_dup_cve_2022_25636 — IAMROOT module registry hook
+ */
+
+#ifndef NFT_FWD_DUP_IAMROOT_MODULES_H
+#define NFT_FWD_DUP_IAMROOT_MODULES_H
+
+#include "../../core/module.h"
+
+extern const struct iamroot_module nft_fwd_dup_module;
+
+#endif