fix: refresh routes when Tailscale account changes on same utun

[karle0wne]

This patch fixes a practical Tailscale edge case: switching between Tailscale accounts/profiles while staying on the same utun interface.

In the current behavior, routes may stay tied to the previous profile because the app only reacts to connect/disconnect or interface changes. That means users can switch account, keep utun6, and still have stale bypass routes.

What this patch changes:

• Adds a lightweight fingerprint of the active local Tailscale identity (ID/UserID/DNSName/TailscaleIPs).
• During periodic VPN checks, compares previous and current fingerprint.
• If fingerprint changes while VPN is still up on the same interface, it triggers a route refresh (removeAllRoutes + applyAllRoutes).
• Keeps the existing cooldown and safety guards to avoid duplicate reroutes.
• Improves Tailscale status reads by requesting only self data (tailscale status --json --self --peers=false) to avoid large JSON/timeouts on big tailnets.
• Refactors duplicated Tailscale JSON reading into one helper (readTailscaleStatusJSON) so detection paths stay consistent.

Scope and impact:

• File touched: Sources/RouteManager.swift only.
• No UI changes.
• No config format changes.
• No broad VPN detection refactor.
• Existing non-Tailscale VPN flow is intentionally left intact.

Why this is needed:

Without this, users can end up in a confusing state where Tailscale is connected, but the app reports no usable VPN route transition after account switch or keeps stale bypass behavior until a manual refresh.

[GeiserX]

Thorough review completed across 8 dimensions (security, concurrency, logic, performance, edge cases, Tailscale CLI compatibility, style, behavioral regression).

No blocking issues found. Key observations:

• Security: Net improvement — --peers=false reduces unnecessary data exposure. No injection vectors, fingerprint stays in memory only.
• Concurrency: @MainActor serialization + isLoading/isApplyingRoutes guards are sufficient.
• Tailscale CLI: Verified against Tailscale source — --self --peers=false preserves ExitNodeStatus, Self, and TailscaleIPs fields.
• Edge cases: All tested (Tailscale not installed, no exit node, rapid switching, VPN disconnect mid-refresh, non-Tailscale VPNs) — all handled correctly.
• Performance: 3 CLI spawns per cycle vs 2 (no per-cycle cache), but negligible at 30s intervals with the lighter --peers=false payload.

Minor non-blocking observations for future consideration:

• String(describing:) on NSNumber for UserID — works today but could use explicit NSNumber.stringValue for stability
• Per-cycle caching of readTailscaleStatusJSON() result would eliminate redundant subprocess spawns

LGTM ✅