fix(dns): preserve NRPT rules on startup and improve hosts file retry

[f0ssel]

Two changes to improve DNS resilience on Windows when GlobalProtect or other VPNs cause engine restarts.

Problem

When the Coder Desktop tunnel binary restarts (e.g., after a GlobalProtect VPN reconnect), the Tailscale engine is recreated. During this process:

1. newNRPTRuleDatabase() called DelAllRuleKeys() unconditionally, deleting all .coder NRPT routing rules from the Windows registry — even though they were valid and working.
2. The first dns.Set() call often fails because the hosts file is locked by endpoint security (GP, CrowdStrike, Defender), and the retry window was only 50ms (5×10ms).
3. If the Coder API is also unreachable (route through the reconnecting VPN), no workspace snapshot arrives to reprogram DNS — leaving resolution broken indefinitely.

Fix

1. Preserve NRPT rules on startup (nrpt_windows.go)

• newNRPTRuleDatabase() no longer calls DelAllRuleKeys()
• Existing rule IDs are tracked in a new staleRuleIDs field
• Stale rules are cleaned up in the first WriteSplitDNSConfig() call, after replacement rules are confirmed written
• DelAllRuleKeys() also cleans up stale rules if called directly (e.g., during teardown)
• This preserves .coder DNS routing during the gap between engine creation and first successful configuration

2. Exponential backoff for hosts file retry (manager_windows.go)

• Initial backoff: 50ms, multiplier: 2x, max interval: 5s, deadline: 30s
• Each retry attempt is logged at debug level with attempt number and error
• Final error includes total attempt count for diagnostics

Fixes https://linear.app/codercom/issue/PLAT-110
Companion to coder/coder#24253

🤖 Generated by Coder Agents