also running go mod tidy

…nabling-dnstt

Replace instant-death markFailed with a softer consecutiveFailures
counter (5 strikes). When a tunnel fails, clear the cached probe
round tripper so the next attempt gets a fresh smux stream instead
of reusing a degraded transport. Close permanently dead tunnels
instead of leaking them via 'continue'.

isSucceeding now requires both that the tunnel has ever succeeded
AND is under the failure threshold — the old || logic would
recycle tunnels that had never worked.

Add an on-demand probe trigger: when NewRoundTripper exhausts all
usable tunnels it signals probeCh, which findWorkingDNSTunnels
picks up to start a fresh cycle immediately instead of waiting
for the timer. Reduce the probe interval from 30 min to 5 min so
re-probes happen even without a trigger signal.

Also wire domain/resolver into the dnsTunnel struct so RoundTrip
logs identify which tunnel handled each request.

DNSTT sessions run over DNS at 135-byte MTU; a single TLS handshake
can take 30-60 seconds through the tunnel. The race transport's
default 80s GET budget and 3min POST budget are often too tight.

Add RequestTimeout() returning 5 minutes so kindling's race transport
gives this transport enough time to complete. The upstream kindling
change (../kindling) wires this into the race budget.

Also replace the kindling dependency with a local path so these
changes take effect together.

The config fetcher and kindling HTTP client both use this timeout
as an outer bound around the race transport. With DNSTT requesting
a 5-minute race budget, the outer timeout of 180s was killing
requests before the tunnel could complete — response headers were
arriving but body reads were cut off mid-stream.

360s gives DNSTT 5min with 1min of headroom.

Removed the probeRT field from dnsTunnel and all related methods
(setProbeRT, getRoundTripper, clearProbeRT). The probe still validates
the tunnel but no longer caches its smux session — each real request
now creates a fresh round tripper via NewRoundTripper.

This fixes the 'io: read/write on closed pipe' cascade: when multiple
concurrent requests shared the probe's cached smux session, a single
KCP disconnect killed all streams simultaneously. With per-request
sessions, each request has isolation — one dying session doesn't
take down others.

Sets a 10KB body size cap on the DNSTT transport so the race transport
skips it for oversized payloads (e.g. 1.4MB issue report protobufs).
DNS tunnels have a 135-byte MTU — 10KB already needs ~75 DNS queries
and nearly exhausts the 5-minute RequestTimeout budget. Larger payloads
should route through another transport.

Moves DNSTT registration after Smart/AMP/Domainfront so it only races
if the other transports fail to connect. Also re-enables all transports
now that DNSTT is no longer the sole transport.

Previously, NewRoundTripper returned a connectedRoundtripper without
establishing any connection — the actual smux session was created lazily
in RoundTrip. This meant DNSTT's NewRoundTripper returned instantly and
always won the connection race against Smart/AMP/Domainfront that actually
pre-connect.

Now NewRoundTripper calls tun.NewRoundTripper during the connect phase so
DNSTT pays the real connection cost (KCP + smux handshake) during the race.
connectedRoundtripper stores the pre-built RoundTripper and uses it directly.

When a tunnel fails to create a round tripper, the DNSTT instance's
goroutines (KCP poll loop, DNS senders) would keep running since the
tunnel was consumed from the channel but never closed. This leaked
resources and shrunk the available tunnel pool until the next probe
cycle. Now closed promptly.

Also add blank line separator between immutable fields (domain, resolver)
and mutex-guarded fields (lastSucceeded, consecutiveFailures) for clarity.

…nabling-dnstt