Phase 5: --detect-rules export with dedup

- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit

core/module.h

@@ -84,6 +84,15 @@ struct iamroot_module {
     /* Undo --exploit (e.g. evict from page cache) or --mitigate side
      * effects. NULL if no cleanup applies. */
     iamroot_result_t (*cleanup)(const struct iamroot_ctx *ctx);
+
+    /* Detection rule corpus — embedded so the binary is self-
+     * contained. Each may be NULL if this module ships no rules for
+     * that format. Strings are NUL-terminated; concatenated in the
+     * order modules register. */
+    const char *detect_auditd;   /* auditd .rules content */
+    const char *detect_sigma;    /* sigma YAML content */
+    const char *detect_yara;     /* yara rules content */
+    const char *detect_falco;    /* falco rules content */
 };
 
 #endif /* IAMROOT_MODULE_H */