Add NoizDNS tunnels + Xray backend integration (v1.3)

NoizDNS (main install):
- 6 tunnels instead of 4: adds NoizDNS+SOCKS (n subdomain) and NoizDNS+SSH (z subdomain)
- DPI-resistant DNSTT fork by anonvector, auto-downloaded during setup
- Graceful degradation if download fails (falls back to 4 standard tunnels)
- systemd drop-in swaps dnstt-server binary for noizdns-server
- SlipNet URLs use "sayedns"/"sayedns_ssh" tunnel types

Xray backend (optional, --add-xray):
- Auto-detects 3x-ui panel (native + Docker) or offers to install (full panel / headless)
- Creates internal-only inbound on 127.0.0.1 via 3x-ui API or direct config.json
- 4 protocols: VLESS, Shadowsocks (chacha20-ietf-poly1305), VMess, Trojan
- DNSTT tunnel forwards to Xray inbound via systemd service override
- Generates SlipNet URL + client URI (vless://, ss://, vmess://, trojan://)
- Management menu option 8, deferred CLI flag with --mtu support

Security:
- SQL injection prevention (single-quote escaping, piped to sqlite3 stdin)
- Cookie jar cleanup via trap RETURN + chmod 600
- --data-urlencode for panel API login
- printf %q for config file writing
- Restrictive file permissions (600/700)
- Bcrypt password detection for 3x-ui v2.0+
- No grep -P, no python3 dependency, portable bash

Author: SamNet-dev