v0.8.1

Fixed — DERP connectivity floor for no-region peers (#24)

A peer whose netmap entry carried no DERP home region (derp_region == None) was given no underlay route at all — the route updater skipped it, so the outbound router dropped every WireGuard packet to it (handshake included). The failure was symmetric (the dataplane's only egress is the underlay route table → we could neither initiate to nor respond to such a peer) and presented as a 30s dial timeout. This is the live blocker for routing through a NAT'd peer on a self-hosted control plane (e.g. Headscale) that doesn't echo preferred_derp.

DERP is the connectivity floor in Tailscale; this restores it. When the netmap supplies no region, the relay region is now inferred — mirroring Go magicsock's c.derpRoute:

1. Observed route — a region we have actually received a DERP frame from the peer on (it is demonstrably listening there).
2. Home-region last resort — our own current home region, a bounded interop-safe fallback that rendezvouses a co-regional peer even when control never echoes the peer's region. If the peer is not on that region the DERP server simply drops the relayed frame (no host dial, no leak).

The inference is gated on the region having a live transport task, and is consulted both for the WireGuard underlay route and for the CallMeMaybe direct-path prompt — so a no-region peer also gets its direct-path upgrade attempted instead of being silently skipped.

Anti-leak posture preserved: the inferred region only ever resolves to a DERP transport, never the direct host-dial path. Observed routes are pruned to the live netmap.

Patch bump (internal route-layer change; no public API change). All 43 geiserx_* crates published to crates.io.

Consumers: pure pin bump to 0.8.1, no code change.