Decompose security review #003 findings into 17 fix tasks and 1 review task

Address 4 critical, 8 warning, and 5 suggestion findings from the
security and bug review by creating atomic, dependency-ordered tasks:

Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter
increment + drain interval, connector timeout ceiling (ADR-026), JSON format
without log file.

Validation tightening (W1, W2): upstream host validation, ACME contact email
validation.

Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent
drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch,
http_port u32→u16.

Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation,
TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal,
root cert count logging, misleading test names.

Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix).

Review: post-security-fix-review checkpoint covering all critical fixes
and sensitive config consolidation path.

tasks/fix/acme-contact-validation.md

@@ -0,0 +1,68 @@
+---
+id: fix/acme-contact-validation
+name: Validate ACME contact email has non-empty address with @ sign (W2)
+status: pending
+depends_on: []
+scope: single
+risk: trivial
+impact: isolated
+level: implementation
+review_findings: [W2]
+---
+
+## Description
+
+The ACME contact validation only checks that `contact.starts_with("mailto:")`
+but doesn't verify there's an actual email address after the prefix. Values
+like `mailto:` (empty email) pass validation but will fail at the Let's Encrypt
+API at certificate provisioning time — after the proxy has already started.
+
+The spec (config.md validation rule 19) now requires: "a valid `mailto:` URI
+with a non-empty email address containing an `@` sign."
+
+### Changes Required
+
+**`src/config/validation.rs`** — ACME contact validation (lines 148-153):
+- After checking `starts_with("mailto:")`, validate the email part:
+  ```rust
+  let contact = &listener.tls.acme_contact;
+  if contact.is_empty() || !contact.starts_with("mailto:") {
+      errors.push(ValidationError::AcmeContactInvalid {
+          bind_addr: listener.bind_addr.clone(),
+      });
+  } else {
+      let email = &contact[7..]; // after "mailto:"
+      if email.is_empty() || !email.contains('@') {
+          errors.push(ValidationError::AcmeContactInvalid {
+              bind_addr: listener.bind_addr.clone(),
+          });
+      }
+  }
+  ```
+- Add tests for:
+  - Valid: `mailto:admin@example.com`
+  - Invalid: `mailto:` (empty), `mailto:user` (no @), empty string, non-mailto
+
+## Acceptance Criteria
+
+- [ ] `mailto:` (empty email) is rejected by validation
+- [ ] `mailto:user` (no @ sign) is rejected by validation
+- [ ] `mailto:admin@example.com` still passes validation
+- [ ] Non-mailto values still rejected
+- [ ] New unit tests for the tightened validation
+- [ ] `cargo test` passes
+- [ ] `cargo clippy` passes with no warnings
+
+## References
+
+- docs/architecture/config.md — validation rule 19
+- docs/reviews/003-security-and-bug-review.md — W2 finding
+- src/config/validation.rs — ACME contact validation, existing tests
+
+## Notes
+
+> To be filled on completion
+
+## Summary
+
+> To be filled on completion