docs: complete Phase 0 architecture — spec updates, review fixes, and link portability

Update four existing specs (overview, server, napi-and-pubsub, call-protocol) to
reflect Phase 0 decisions: three-layer model, IdentityProvider, ForwardingPolicy,
OperationEnv, static/dynamic config split. Review all 9 Phase 0a ADRs (026-034)
for consistency. Fix 4 critical issues from architecture review: missing OQ-SVC-05
in open-questions.md, deprecated hub terminology, undefined AuthService and noq
terms. Replace inline OQ text with cross-references per format rules. Add
ConfigServiceImpl definition to configuration.md. Port absolute workspace paths
to project-relative links by copying referenced docs (feasibility, certbot,
fail2ban, event_source_types) into docs/research/.

docs/architecture/configuration.md

@@ -69,6 +69,39 @@ impl ConfigReloadHandle {
 
 Obtained from `Server::run()`. Passed to NAPI or CLI for explicit reload.
 
+### ConfigServiceImpl
+
+The Phase 1 implementation of config service logic, backed by
+`ArcSwap<DynamicConfig>`. Where `ConfigIdentityProvider` wraps the auth section
+of `DynamicConfig`, `ConfigServiceImpl` wraps the forwarding and rate-limit
+sections. Both are ArcSwap-backed and share the same `DynamicConfig` instance.
+
+```rust
+pub struct ConfigServiceImpl {
+    dynamic: Arc<ArcSwap<DynamicConfig>>,
+}
+
+impl ConfigServiceImpl {
+    pub fn forwarding_policy(&self) -> Arc<ForwardingPolicy> {
+        self.dynamic.load().forwarding.clone()
+    }
+
+    pub fn rate_limits(&self) -> Arc<RateLimitConfig> {
+        self.dynamic.load().rate_limits.clone()
+    }
+
+    pub fn reload(&self, new_config: DynamicConfig) {
+        self.dynamic.store(Arc::new(new_config));
+    }
+}
+```
+
+Phase 1 deploys `ConfigServiceImpl` directly — no irpc service boundary. The
+`ConfigProtocol` irpc service (behind feature flag) wraps `ConfigServiceImpl`
+for production deployments that use the service layer. This mirrors the
+`ConfigIdentityProvider` / `AuthProtocol` pattern from [identity.md](identity.md)
+and ADR-028.
+
 ### ConfigService irpc Service
 
 ```rust
@@ -155,7 +188,7 @@ iroh_relay = "https://relay.alk.dev"
 | Interface | Static config | Dynamic config | Reload mechanism |
 |-----------|--------------|----------------|------------------|
 | CLI | Flags + optional `--config` file | Loaded at startup from `--authorized-keys` | None (restart to change) |
-| Core Rust | `StaticConfig` struct | `AuthService` (irpc) or `ArcSwap<DynamicConfig>` (minimal) | `ConfigService::reload()` or `ConfigReloadHandle::reload()` |
+| Core Rust | `StaticConfig` struct | `AuthProtocol` (irpc) or `ConfigIdentityProvider` (ArcSwap) | `ConfigProtocol::ReloadDynamicConfig` or `ConfigReloadHandle::reload()` |
 | NAPI | `serve()` options | Same | `server.reloadAuth()`, `server.reloadForwarding()` |
 
 ## Constraints