NodeConfig defaults + code-quality pass + fuzz tests + README

NodeConfig.Spec.Defaults adds per-node IPv6/IPv4 family defaults that pod
annotations can override; built-in baseline (v6=true, v4=false) still
applies when the field is omitted.

bird.Render now validates every operator-supplied value (peer addresses,
CIDRs, anycast IPs, source addresses) before templating — fuzz found a
peer address containing `}` produced unbalanced braces in bird.conf.
Failing input preserved as a regression seed.

Fuzz targets added for ParseAnnotations, ParseCNIArgs, HostIfaceName,
canonical, IPAM allocate sequences, embed.Embed, and bird.Render.
Hardened canonical/ipToU32 against nil and non-IPv4 inputs.

README rewritten for outside readers — quickstart, NodeConfig + annotation
reference with worked examples, anycast use cases, comparison vs Calico
and Cilium, requirements, limitations.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

deploy/crds/flock.fritzlab.net_nodeconfigs.yaml

@@ -20,6 +20,9 @@ spec:
         openAPIV3Schema:
           type: object
           required: [spec]
+          description: |
+            NodeConfig is the per-node operator-supplied configuration for the
+            flock CNI agent. Its name MUST equal the Kubernetes node name.
           properties:
             spec:
               type: object
@@ -35,6 +38,25 @@ spec:
                   items:
                     type: string
                     description: IPv4 CIDR owned and aggregate-advertised by this node.
+                defaults:
+                  type: object
+                  description: |
+                    Per-node baseline for which address families a pod receives
+                    when its own annotations don't specify. Pod annotations
+                    flock.fritzlab.net/ipv6 and flock.fritzlab.net/ipv4 always
+                    override these defaults. Built-in fallback (when this block
+                    or any field is omitted) is IPv6=true, IPv4=false.
+                  properties:
+                    ipv6:
+                      type: boolean
+                      description: |
+                        Default IPv6 inclusion for pods on this node. Omit to
+                        inherit the built-in baseline (true).
+                    ipv4:
+                      type: boolean
+                      description: |
+                        Default IPv4 inclusion for pods on this node. Omit to
+                        inherit the built-in baseline (false).
                 bgp:
                   type: object
                   required: [asn, peers]
@@ -70,3 +92,9 @@ spec:
         - name: CIDR4
           type: string
           jsonPath: .spec.cidr4
+        - name: DefV6
+          type: boolean
+          jsonPath: .spec.defaults.ipv6
+        - name: DefV4
+          type: boolean
+          jsonPath: .spec.defaults.ipv4