Replace built-in proxies with tun2socks transparent proxying

Remove the built-in HTTP/SOCKS5 proxy servers and domain allowlist/denylist
system. Instead, use tun2socks with a TUN device inside the network namespace
to transparently route all TCP/UDP traffic through an external SOCKS5 proxy.

This enables truly transparent proxying where any binary (Go, static, etc.)
has its traffic routed through the proxy without needing to respect
HTTP_PROXY/ALL_PROXY environment variables. The external proxy handles its
own filtering.

Key changes:
- NetworkConfig: remove AllowedDomains/DeniedDomains/proxy ports, add ProxyURL
- Delete internal/proxy/, internal/templates/, internal/importer/
- Embed tun2socks binary (downloaded at build time via Makefile)
- Replace LinuxBridge with ProxyBridge (single Unix socket to external proxy)
- Inner script sets up TUN device + tun2socks inside network namespace
- Falls back to env-var proxying when TUN is unavailable
- macOS: best-effort env-var proxying to external SOCKS5 proxy
- CLI: remove --template/import, add --proxy flag
- Feature detection: add ip/tun/tun2socks status to --linux-features

Makefile

@@ -5,88 +5,107 @@ GOTEST=$(GOCMD) test
 GOMOD=$(GOCMD) mod
 BINARY_NAME=fence
 BINARY_UNIX=$(BINARY_NAME)_unix
+TUN2SOCKS_VERSION=v2.5.2
+TUN2SOCKS_BIN_DIR=internal/sandbox/bin
 
-.PHONY: all build build-ci build-linux test test-ci clean deps install-lint-tools setup setup-ci run fmt lint release release-minor help
+.PHONY: all build build-ci build-linux test test-ci clean deps install-lint-tools setup setup-ci run fmt lint release release-minor download-tun2socks help
 
 all: build
 
-build:
-	@echo "🔨 Building $(BINARY_NAME)..."
+download-tun2socks:
+	@echo "Downloading tun2socks $(TUN2SOCKS_VERSION)..."
+	@mkdir -p $(TUN2SOCKS_BIN_DIR)
+	@curl -sL "https://github.com/xjasonlyu/tun2socks/releases/download/$(TUN2SOCKS_VERSION)/tun2socks-linux-amd64.zip" -o /tmp/tun2socks-linux-amd64.zip
+	@unzip -o -q /tmp/tun2socks-linux-amd64.zip -d /tmp/tun2socks-amd64
+	@mv /tmp/tun2socks-amd64/tun2socks-linux-amd64 $(TUN2SOCKS_BIN_DIR)/tun2socks-linux-amd64
+	@chmod +x $(TUN2SOCKS_BIN_DIR)/tun2socks-linux-amd64
+	@rm -rf /tmp/tun2socks-linux-amd64.zip /tmp/tun2socks-amd64
+	@curl -sL "https://github.com/xjasonlyu/tun2socks/releases/download/$(TUN2SOCKS_VERSION)/tun2socks-linux-arm64.zip" -o /tmp/tun2socks-linux-arm64.zip
+	@unzip -o -q /tmp/tun2socks-linux-arm64.zip -d /tmp/tun2socks-arm64
+	@mv /tmp/tun2socks-arm64/tun2socks-linux-arm64 $(TUN2SOCKS_BIN_DIR)/tun2socks-linux-arm64
+	@chmod +x $(TUN2SOCKS_BIN_DIR)/tun2socks-linux-arm64
+	@rm -rf /tmp/tun2socks-linux-arm64.zip /tmp/tun2socks-arm64
+	@echo "tun2socks binaries downloaded to $(TUN2SOCKS_BIN_DIR)/"
+
+build: download-tun2socks
+	@echo "Building $(BINARY_NAME)..."
 	$(GOBUILD) -o $(BINARY_NAME) -v ./cmd/fence
 
-build-ci:
-	@echo "🏗️  CI: Building $(BINARY_NAME) with version info..."
+build-ci: download-tun2socks
+	@echo "CI: Building $(BINARY_NAME) with version info..."
 	$(eval VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev"))
 	$(eval BUILD_TIME := $(shell date -u '+%Y-%m-%dT%H:%M:%SZ'))
 	$(eval GIT_COMMIT := $(shell git rev-parse HEAD 2>/dev/null || echo "unknown"))
 	$(GOBUILD) -ldflags "-s -w -X main.version=$(VERSION) -X main.buildTime=$(BUILD_TIME) -X main.gitCommit=$(GIT_COMMIT)" -o $(BINARY_NAME) -v ./cmd/fence
 
 test:
-	@echo "🧪 Running tests..."
+	@echo "Running tests..."
 	$(GOTEST) -v ./...
 
 test-ci:
-	@echo "🧪 CI: Running tests with coverage..."
+	@echo "CI: Running tests with coverage..."
 	$(GOTEST) -v -race -coverprofile=coverage.out ./...
 
 clean:
-	@echo "🧹 Cleaning..."
+	@echo "Cleaning..."
 	$(GOCLEAN)
 	rm -f $(BINARY_NAME)
 	rm -f $(BINARY_UNIX)
 	rm -f coverage.out
+	rm -f $(TUN2SOCKS_BIN_DIR)/tun2socks-linux-*
 
 deps:
-	@echo "📦 Downloading dependencies..."
+	@echo "Downloading dependencies..."
 	$(GOMOD) download
 	$(GOMOD) tidy
 
-build-linux:
-	@echo "🐧 Building for Linux..."
+build-linux: download-tun2socks
+	@echo "Building for Linux..."
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 $(GOBUILD) -o $(BINARY_UNIX) -v ./cmd/fence
 
 build-darwin:
-	@echo "🍎 Building for macOS..."
+	@echo "Building for macOS..."
 	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 $(GOBUILD) -o $(BINARY_NAME)_darwin -v ./cmd/fence
 
 install-lint-tools:
-	@echo "📦 Installing linting tools..."
+	@echo "Installing linting tools..."
 	go install mvdan.cc/gofumpt@latest
 	go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
-	@echo "✅ Linting tools installed"
+	@echo "Linting tools installed"
 
 setup: deps install-lint-tools
-	@echo "✅ Development environment ready"
+	@echo "Development environment ready"
 
 setup-ci: deps install-lint-tools
-	@echo "✅ CI environment ready"
+	@echo "CI environment ready"
 
 run: build
 	./$(BINARY_NAME)
 
 fmt:
-	@echo "📝 Formatting code..."
+	@echo "Formatting code..."
 	gofumpt -w .
 
 lint:
-	@echo "🔍 Linting code..."
+	@echo "Linting code..."
 	golangci-lint run --allow-parallel-runners
 
 release:
-	@echo "🚀 Creating patch release..."
+	@echo "Creating patch release..."
 	./scripts/release.sh patch
 
 release-minor:
-	@echo "🚀 Creating minor release..."
+	@echo "Creating minor release..."
 	./scripts/release.sh minor
 
 help:
 	@echo "Available targets:"
 	@echo "  all                - build (default)"
-	@echo "  build              - Build the binary"
+	@echo "  build              - Build the binary (downloads tun2socks if needed)"
 	@echo "  build-ci           - Build for CI with version info"
 	@echo "  build-linux        - Build for Linux"
 	@echo "  build-darwin       - Build for macOS"
+	@echo "  download-tun2socks - Download tun2socks binaries for embedding"
 	@echo "  test               - Run tests"
 	@echo "  test-ci            - Run tests for CI with coverage"
 	@echo "  clean              - Clean build artifacts"
@@ -100,4 +119,3 @@ help:
 	@echo "  release            - Create patch release (v0.0.X)"
 	@echo "  release-minor      - Create minor release (v0.X.0)"
 	@echo "  help               - Show this help"
-