Add STUN sidecar service

[JoTurk]

Provide a lightweight STUN sidecar (separate process/container) for client reflexive candidate discovery. minimal, stateless, fast. exposes health/metrics and can be deployed automatically from the SFU.

Why not public stuns?

Reliable srflx candidates reduce reliance on third party services, privacy. Running STUN as a sidecar keeps concerns separated and enables independent scaling + geo distribution.

• - Standalone binary/service "side vehicle" handling STUN Binding requests.
• - Listener: UDP 3478 (and maybe by default too? TCP 3478) - can be shared with turn Add TURN sidecar service #20.
• - Dual-stack (IPv4/IPv6) optional.
• - Optional response IP override (when behind 1:1 NAT).
• - Basic rate limiting to mitigate abuse.
• - metrics, traces + /healthz liveness/readiness.