fix(SingBox): inject DIRECT route rule for panel domain

[daidaidaiok]

Summary

SingBox::buildRule() previously read route.rules and wrote it back unchanged — an empty hook. As a result, sing-box / hiddify / sfm users importing the subscription have the panel host (the very URL they pulled the subscription from) routed through their proxy outbound. When the outbound cannot reach the panel's origin IP (very common when the panel is hosted in mainland China and the outbound is overseas, or vice versa), the panel becomes unreachable after they enable the proxy.

This mirrors the behaviour already implemented in Clash::buildRules(), ClashMeta::buildRules() and Stash::buildRules(): unshift a {domain: [host], outbound: direct} rule at the head of route.rules so the panel host always bypasses the proxy.

Before

"route": {
  "rules": [
    { "outbound": "dns-out", "protocol": "dns" },
    { "clash_mode": "direct", "outbound": "direct" },
    ...
  ]
}

After

"route": {
  "rules": [
    { "domain": ["panel.example.com"], "outbound": "direct" },   // <- injected
    { "outbound": "dns-out", "protocol": "dns" },
    { "clash_mode": "direct", "outbound": "direct" },
    ...
  ]
}

Test plan

• Patched on a live deployment, reloaded Octane, confirmed route.rules[0] contains the panel host with outbound: direct.
• Existing rules (dns-out, clash_mode, geosite-cn, etc.) are preserved and ordered after the new rule.
• No effect when Host header is absent or route.rules is missing.

🤖 Generated with Claude Code