feat(discovery): add multiple STUN server providers for NAT detection

Expand STUN server list from 2 (Google only) to 5 servers across 4
providers to improve NAT detection success rate.

## STUN Servers Added

| Provider   | Address              | Port  | Notes                    |
|------------|----------------------|-------|--------------------------|
| Cloudflare | 162.159.207.0        | 3478  | Standard STUN port       |
| Twilio     | 34.203.251.210       | 3478  | AWS-hosted               |
| Nextcloud  | 159.69.191.124       | 443   | HTTPS port (firewall-friendly) |
| Google     | 74.125.250.129       | 19302 | Primary (existing)       |
| Google     | 74.125.250.130       | 19302 | Secondary (existing)     |

## Benefits

- Multiple providers: If one is blocked, others may succeed
- Multiple ports: 3478, 443, 19302 for firewall bypass
- Geographically diverse: Better latency options
- Port 443 fallback: Often allowed through restrictive firewalls

## Technical Details

- IPs hardcoded for reliability (DNS may be filtered)
- Servers tried sequentially until one responds
- Graceful fallback to local mode if all fail

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: doublegate

crates/wraith-discovery/src/nat/types.rs

@@ -102,18 +102,38 @@ pub struct NatDetector {
 impl NatDetector {
     /// Create a new NAT detector with default STUN servers
     ///
-    /// Uses Google's public STUN servers. Note that these IPs are hardcoded
-    /// and may change. In production, implement DNS resolution for:
-    /// - stun.l.google.com:19302
-    /// - stun1.l.google.com:19302
-    /// - stun2.l.google.com:19302
+    /// Uses multiple public STUN servers from different providers for redundancy.
+    /// IPs are hardcoded for reliability (DNS may be blocked/filtered).
     ///
-    /// TODO: Implement DNS-based STUN server resolution
+    /// Providers included:
+    /// - Cloudflare (stun.cloudflare.com:3478)
+    /// - Twilio (global.stun.twilio.com:3478)
+    /// - Nextcloud (stun.nextcloud.com:443)
+    /// - Google (stun.l.google.com:19302)
+    ///
+    /// Different ports (3478, 443, 19302) increase chance of bypassing firewalls.
+    ///
+    /// TODO: Implement DNS-based STUN server resolution as fallback
     #[must_use]
     pub fn new() -> Self {
         Self {
             stun_servers: vec![
-                // Google Public STUN servers (hardcoded IPs)
+                // Cloudflare STUN (port 3478 - standard STUN port)
+                // stun.cloudflare.com:3478
+                "162.159.207.0:3478"
+                    .parse()
+                    .expect("valid STUN server address"),
+                // Twilio STUN (port 3478)
+                // global.stun.twilio.com:3478
+                "34.203.251.210:3478"
+                    .parse()
+                    .expect("valid STUN server address"),
+                // Nextcloud STUN (port 443 - HTTPS port, often allowed through firewalls)
+                // stun.nextcloud.com:443
+                "159.69.191.124:443"
+                    .parse()
+                    .expect("valid STUN server address"),
+                // Google Public STUN servers (port 19302)
                 // stun.l.google.com:19302
                 "74.125.250.129:19302"
                     .parse()