Phase D: Automated DNS registration via MCNS

Add DNSRegistrar that creates/updates/deletes A records in MCNS
during deploy and stop. When a service has routes, the agent ensures
an A record exists in the configured zone pointing to the node's
address. On stop, the record is removed.

- Add MCNSConfig to agent config (server_url, ca_cert, token_path,
  zone, node_addr) with defaults and env overrides
- Add DNSRegistrar (internal/agent/dns.go): REST client for MCNS
  record CRUD, nil-receiver safe
- Wire into deploy flow (EnsureRecord after route registration)
- Wire into stop flow (RemoveRecord before container stop)
- 7 new tests, make all passes with 0 issues

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/agent/agent.go

@@ -34,6 +34,7 @@ type Agent struct {
 	PortAlloc *PortAllocator
 	Proxy     *ProxyRouter
 	Certs     *CertProvisioner
+	DNS       *DNSRegistrar
 }
 
 // Run starts the agent: opens the database, sets up the gRPC server with
@@ -63,6 +64,11 @@ func Run(cfg *config.AgentConfig) error {
 		return fmt.Errorf("create cert provisioner: %w", err)
 	}
 
+	dns, err := NewDNSRegistrar(cfg.MCNS, logger)
+	if err != nil {
+		return fmt.Errorf("create DNS registrar: %w", err)
+	}
+
 	a := &Agent{
 		Config:    cfg,
 		DB:        db,
@@ -72,6 +78,7 @@ func Run(cfg *config.AgentConfig) error {
 		PortAlloc: NewPortAllocator(),
 		Proxy:     proxy,
 		Certs:     certs,
+		DNS:       dns,
 	}
 
 	tlsCert, err := tls.LoadX509KeyPair(cfg.Server.TLSCert, cfg.Server.TLSKey)