Resolve OQ-07: add multi-config listener support (ADR-019)

Introduce [[listeners]] configuration to support both dedicated-IP
(1 IP = 1 cert = 1 domain) and shared-IP (SAN certificate) deployment
models. Each listener is an independent TLS endpoint with its own bind
address, TLS config, and site routing. OQ-07 is now resolved.

Changes:
- Add ADR-019 for multi-config listener support
- Update config format from [server] to [[listeners]] entries
- Update tls.md for per-listener TLS and certificate provisioning
- Update overview.md architecture diagram and scope
- Update proxy.md for per-listener HTTP redirect
- Fix stale references in ADR-010, ADR-011, ADR-016
- Update OQ-05 resolution (per-listener bind_addr supersedes)
- Add unique-host rationale to config validation rules
- Architecture review: fix all 3 critical and 6 warning issues

docs/architecture/decisions/010-multi-site-phase1.md

@@ -31,7 +31,8 @@ and `rustls-acme` supports multi-domain certificates natively.
 Move multi-site support from Phase 2 into Phase 1. The proxy supports multiple
 sites from the initial release:
 
-- `[[sites]]` array in config (already the planned format)
+- `[[listeners.sites]]` array in each listener config (after ADR-019; was
+  `[[sites]]` at top level)
 - Host-based routing via axum's `Host` extractor (already the planned approach)
 - Multi-domain ACME certificate provisioning via `rustls-acme`
 - Each site maps a hostname to an upstream address
@@ -78,8 +79,7 @@ Phase 3 remains future enhancements.
 - Slightly more testing surface (must verify correct routing with multiple
   sites)
 - Must test multi-domain ACME provisioning (not just single-domain)
-- Wildcard or fallback site behavior needs to be defined (addressed in
-  OQ-07)
+- Wildcard or fallback site behavior is defined by the listener's site routing
 
 ## References