Decompose architecture into 23 atomic tasks across 7 parallel generations

Task graph covers all Phase 1 concerns: config system, TLS termination,
proxy handler, operations (rate limiting, logging, health check, admin
socket, signals, shutdown, body size limit), deployment artifacts, and
two review checkpoints.

No circular dependencies. Critical path length of 7. Risk distribution:
3 high-risk (ACME, TLS listener setup, startup orchestration), 7 medium,
11 low, 2 trivial.

tasks/setup/project-init.md

@@ -0,0 +1,98 @@
+---
+id: setup/project-init
+name: Initialize Rust project with Cargo, dependencies, and module skeleton
+status: pending
+depends_on: []
+scope: moderate
+risk: low
+impact: project
+level: implementation
+---
+
+## Description
+
+Initialize the Rust project from scratch. The repo currently has only `docs/` and `.git/`. Set up a single-binary Rust project with all core dependencies per the architecture spec (overview.md), and create the module skeleton that subsequent tasks will fill in.
+
+This is a single-binary project — there are no library exports. The product is the `reverse-proxy` binary.
+
+### Core Dependencies
+
+| Crate | Purpose |
+|-------|---------|
+| `axum` 0.8 | HTTP framework, routing, middleware, extractors |
+| `tokio` 1 (full) | Async runtime |
+| `hyper` 1 | HTTP protocol, proxy `Client` |
+| `tower` 0.5 | Middleware ecosystem, Service trait |
+| `rustls` 0.23 | TLS implementation, `aws_lc_rs` crypto provider |
+| `tokio-rustls` 0.26 | Async TLS I/O |
+| `rustls-acme` 0.12 | ACME client for Let's Encrypt |
+| `serde` 1 | Serialization |
+| `toml` 0.8 | Config format |
+| `arc-swap` 1 | Atomic config swap for DynamicConfig |
+| `tracing` 0.1 | Structured logging |
+| `tracing-subscriber` 0.3 | Log output (file + stdout) |
+| `rustls-pemfile` 2 | PEM parsing for manual cert loading |
+| `rustls-pki-types` 1 | TLS types (CertificateDer, PrivateKeyDer) |
+| `clap` 4 | CLI arguments |
+| `signal-hook` 0.3 | SIGTERM/SIGINT/SIGHUP handling |
+
+Pin exact versions in `Cargo.toml` per standard Rust practice.
+
+### Module Skeleton
+
+```
+src/
+├── main.rs           — entry point, CLI parsing, startup orchestration
+├── config/
+│   ├── mod.rs         — config module, re-exports
+│   ├── static_config.rs — StaticConfig, ListenerConfig, TlsConfig, LoggingConfig
+│   ├── dynamic_config.rs — DynamicConfig, SiteConfig, RateLimitConfig
+│   └── validation.rs  — config validation logic
+├── proxy/
+│   ├── mod.rs         — proxy module, re-exports
+│   ├── handler.rs     — reverse proxy handler
+│   ├── headers.rs     — proxy header injection
+│   └── error.rs       — error response types
+├── tls/
+│   ├── mod.rs         — TLS module, re-exports
+│   ├── acceptor.rs    — TLS acceptor construction (manual + ACME)
+│   └── redirect.rs    — HTTP → HTTPS redirect handler
+├── rate_limit/
+│   ├── mod.rs         — rate limit module
+│   └── bucket.rs      — token bucket implementation
+├── logging/
+│   ├── mod.rs         — logging module
+│   └── format.rs      — custom structured log format
+├── admin/
+│   ├── mod.rs         — admin socket module
+│   └── socket.rs      — Unix domain socket handler
+├── health.rs          — health check endpoint
+└── shutdown.rs        — graceful shutdown logic
+```
+
+## Acceptance Criteria
+
+- [ ] `Cargo.toml` with all dependencies listed in overview.md, exact versions pinned
+- [ ] `src/main.rs` with minimal `fn main()` that compiles
+- [ ] All module files exist with `mod.rs` re-exports and skeleton content
+- [ ] `cargo check` succeeds with no errors
+- [ ] `cargo clippy` succeeds with no warnings
+- [ ] Binary name is `reverse-proxy` in `Cargo.toml`
+- [ ] `.gitignore` covers `target/`
+- [ ] Dual licensing: `MIT OR Apache-2.0` in `Cargo.toml`
+
+## References
+
+- docs/architecture/overview.md — crate dependencies, exports
+- docs/architecture/config.md — config structure
+- docs/architecture/proxy.md — proxy handler architecture
+- docs/architecture/tls.md — TLS architecture
+- docs/architecture/operations.md — rate limiting, logging, health check, shutdown
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion

tasks/setup/test-infrastructure.md

@@ -0,0 +1,43 @@
+---
+id: setup/test-infrastructure
+name: Set up test infrastructure with integration test helpers and fixtures
+status: pending
+depends_on: [setup/project-init]
+scope: narrow
+risk: low
+impact: component
+level: implementation
+---
+
+## Description
+
+Set up the testing infrastructure that subsequent implementation tasks will use. This includes integration test directory structure, test helpers for creating mock configs, and HTTP test utilities.
+
+Create:
+
+1. **Test module structure**: `tests/` directory for integration tests, `src/config/test_fixtures.rs` for config test helpers
+2. **Test config fixtures**: Helper functions to create valid `StaticConfig` and `DynamicConfig` instances for tests (minimal valid config that passes validation)
+3. **HTTP test helpers**: Utilities for spinning up test HTTP servers (for upstream mocking) using `hyper`'s test server or `tokio::net::TcpListener`
+4. **Test TLS helpers**: Self-signed certificate generation for TLS tests (using `rcgen` dev-dependency)
+
+## Acceptance Criteria
+
+- [ ] `tests/` directory exists with a sample integration test that compiles
+- [ ] Test helper module with `test_static_config()` and `test_dynamic_config()` fixture functions
+- [ ] `rcgen` added as a dev-dependency for self-signed cert generation
+- [ ] `tokio-test` or equivalent test utilities available
+- [ ] `cargo test` succeeds with the skeleton test
+- [ ] Test config fixtures produce configs that would pass validation (once validation is implemented)
+
+## References
+
+- docs/architecture/config.md — config structures to create fixtures for
+- docs/architecture/proxy.md — proxy handler that will need upstream mocking
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion