Decompose security review #003 findings into 17 fix tasks and 1 review task

Address 4 critical, 8 warning, and 5 suggestion findings from the
security and bug review by creating atomic, dependency-ordered tasks:

Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter
increment + drain interval, connector timeout ceiling (ADR-026), JSON format
without log file.

Validation tightening (W1, W2): upstream host validation, ACME contact email
validation.

Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent
drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch,
http_port u32→u16.

Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation,
TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal,
root cert count logging, misleading test names.

Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix).

Review: post-security-fix-review checkpoint covering all critical fixes
and sensitive config consolidation path.

tasks/fix/admin-socket-resource-limits.md

@@ -0,0 +1,100 @@
+---
+id: fix/admin-socket-resource-limits
+name: Add read timeout and line length limit to admin socket (ADR-027)
+status: pending
+depends_on: []
+scope: narrow
+risk: low
+impact: component
+level: implementation
+review_findings: [W4, S4]
+---
+
+## Description
+
+The admin socket's `handle_connection` reads one newline-terminated line with
+`reader.read_line(&mut line)` but sets no timeout and no length limit. This
+allows:
+1. A client to connect and send no data, holding a connection indefinitely
+2. A client to send unbounded data without a newline, causing OOM
+
+ADR-027 specifies: 5-second read timeout, 4096 byte line length limit.
+
+### Changes Required
+
+**`src/admin/socket.rs`** — `handle_connection` function (lines 166-210):
+- Wrap the `BufReader` with `tokio::io::take` to limit read size to 4096 bytes:
+  ```rust
+  let (reader, mut writer) = stream.into_split();
+  let mut reader = BufReader::new(tokio::io::take(reader, 4096));
+  let mut line = String::new();
+  ```
+- Wrap the `read_line` call in a `tokio::time::timeout`:
+  ```rust
+  use std::time::Duration;
+  let read_result = tokio::time::timeout(
+      Duration::from_secs(5),
+      reader.read_line(&mut line),
+  ).await;
+  ```
+- Handle timeout and line-too-long cases:
+  ```rust
+  match read_result {
+      Ok(Ok(0)) | Ok(Err(_)) => {
+          // existing "invalid input" handling
+      }
+      Err(_) => {
+          // timeout
+          tracing::debug!("admin socket connection timed out");
+          let _ = writer.write_all(
+              format!("{}\n", serde_json::to_string(&ErrorResponse {
+                  status: "error",
+                  message: "read timeout".to_string(),
+              }).unwrap()).as_bytes()
+          ).await;
+          return;
+      }
+      Ok(Ok(n)) => {
+          // Check if line was truncated (no newline found within limit)
+          if !line.ends_with('\n') && n > 0 {
+              tracing::warn!("admin socket command exceeded 4096 byte limit");
+              let _ = writer.write_all(
+                  format!("{}\n", serde_json::to_string(&ErrorResponse {
+                      status: "error",
+                      message: "command too long".to_string(),
+                  }).unwrap()).as_bytes()
+              ).await;
+              return;
+          }
+          // ... existing command handling
+      }
+  }
+  ```
+- Update existing tests and add new tests for timeout and line length limit.
+
+## Acceptance Criteria
+
+- [ ] Read timeout of 5 seconds applied to admin socket connections
+- [ ] Line length limit of 4096 bytes applied (via `tokio::io::take`)
+- [ ] Timeout logged at `debug` level per ADR-027
+- [ ] Line-too-long logged at `warn` level per ADR-027
+- [ ] Both conditions return appropriate error JSON to the client
+- [ ] Legitimate commands (`reload`, `status`) still work
+- [ ] New tests for timeout and line length limit behavior
+- [ ] `cargo test` passes
+- [ ] `cargo clippy` passes with no warnings
+
+## References
+
+- docs/architecture/decisions/027-admin-socket-resource-limits.md — ADR-027
+- docs/architecture/operations.md — admin socket resource limits
+- docs/reviews/003-security-and-bug-review.md — W4, S4 findings
+- src/admin/socket.rs — `handle_connection`
+
+## Notes
+
+> To be filled on completion
+
+## Summary
+
+> To be filled on completion