scaffold: 4 new module dirs + registry/Makefile wiring (stubs)

Pre-scaffolding for the next batch (CVE-2023-32233, CVE-2023-4622,
CVE-2022-25636, CVE-2023-0179). Each module ships as a 21-line
stub returning PRECOND_FAIL; parallel agents fill in the real
detect/exploit/--full-chain implementations.

This commit keeps registry.h / iamroot.c / Makefile in one place
so the 4 parallel agents don't collide on shared-file edits — they
each own a single iamroot_modules.c.

Build clean on Debian 6.12.86; --list shows all 24 modules
including the 4 new stubs.

modules/nft_payload_cve_2023_0179/iamroot_modules.c

@@ -0,0 +1,23 @@
+/* nft_payload_cve_2023_0179 — STUB pending agent implementation. */
+#include "iamroot_modules.h"
+#include "../../core/registry.h"
+
+static iamroot_result_t nft_payload_detect(const struct iamroot_ctx *ctx)
+{
+    (void)ctx;
+    return IAMROOT_PRECOND_FAIL;
+}
+
+const struct iamroot_module nft_payload_module = {
+    .name = "nft_payload",
+    .cve = "CVE-2023-0179",
+    .summary = "nft_payload set-id memory corruption (Davide Ornaghi) — stub pending implementation",
+    .family = "nf_tables",
+    .kernel_range = "5.4 ≤ K < 6.2",
+    .detect = nft_payload_detect,
+    .exploit = NULL, .mitigate = NULL, .cleanup = NULL,
+    .detect_auditd = NULL, .detect_sigma = NULL,
+    .detect_yara = NULL,   .detect_falco = NULL,
+};
+
+void iamroot_register_nft_payload(void) { iamroot_register(&nft_payload_module); }