Resolve OQ-07: add multi-config listener support (ADR-019)

Introduce [[listeners]] configuration to support both dedicated-IP
(1 IP = 1 cert = 1 domain) and shared-IP (SAN certificate) deployment
models. Each listener is an independent TLS endpoint with its own bind
address, TLS config, and site routing. OQ-07 is now resolved.

Changes:
- Add ADR-019 for multi-config listener support
- Update config format from [server] to [[listeners]] entries
- Update tls.md for per-listener TLS and certificate provisioning
- Update overview.md architecture diagram and scope
- Update proxy.md for per-listener HTTP redirect
- Fix stale references in ADR-010, ADR-011, ADR-016
- Update OQ-05 resolution (per-listener bind_addr supersedes)
- Add unique-host rationale to config validation rules
- Architecture review: fix all 3 critical and 6 warning issues

docs/architecture/proxy.md

@@ -131,11 +131,11 @@ specified, defaults of 5s connect and 60s request are used.
 
 ### 5. HTTP → HTTPS Redirect
 
-A separate HTTP listener on port 80 handles redirect. It reads the `Host`
-header from the incoming request and returns a 301 Permanent Redirect to the
-HTTPS equivalent URL (preserving the path and query string).
+A separate HTTP listener on port 80 (per listener) handles redirect. It reads
+the `Host` header from the incoming request and returns a 301 Permanent Redirect
+to the HTTPS equivalent URL (preserving the path and query string).
 
-This listener runs on the same bind address as the TLS listener but on port 80.
+Each listener has its own HTTP redirect on its own bind address.
 
 ## Upstream Connection