Description
Defense #4 in the mesh.yaml hardening track.
Add `--dry-run` to `hydraguard apply`. When set:
1. Generate the new `wg0.conf` to a temp path instead of `/etc/wireguard/wg0.conf`.
2. Run `wg-quick strip` (or equivalent validation) against it.
3. Diff against the current live `wg0.conf` and print the diff.
4. Exit without touching the live config or running `wg syncconf`.
Lets an operator preview before committing, which is especially useful during multi-venue ops (the cloud-seven + rupelmonde enrollment we did today was exactly that scenario — one bad entry could have nuked both tunnels).
## Verification
- `hydraguard apply --dry-run` after a `venue add` shows the diff (new venue peer block) and does NOT modify wg0.conf or call wg syncconf.
- `hydraguard apply` (no flag) continues to work unchanged.