Expand architecture: multi-site Phase 1, multi-domain TLS, fix review issues

Promote multi-site support from Phase 2 to Phase 1 (ADR-010): the proxy
must support git.alk.dev and alk.dev from initial release. Add multi-domain
TLS configuration (ADR-011): acme_domains array replaces acme_domain string,
single SAN certificate via rustls-acme.

Key changes:
- ADR-010: Multi-site in Phase 1 — avoids config format migration later
- ADR-011: Multi-domain TLS — single SAN cert, acme_domains Vec<String>
- ADR-002: Updated rationale for multi-site (one upstream per domain)
- overview.md: Phase 1 now includes multi-site, alk.dev pass-through,
  dual licensing (MIT OR Apache-2.0), real IP removed
- config.md: acme_domain → acme_domains, TOML example shows both sites,
  validation adds unique host check, real IP replaced with 203.0.113.10
- tls.md: Multi-domain SNI section moved from Future to current, manual
  mode uses ResolvesServerCert for SNI mapping, TOML header fixed
- proxy.md: Updated for multi-site, removed single-domain language
- operations.md: RFC 5737 documentation IPs, clarified rate limit eviction
  semantics (distinct scan interval vs eviction age)
- open-questions.md: OQ-05 resolved (single bind_addr sufficient), new
  OQ-07 (per-site TLS overrides)

Review fixes:
- acme_domains (plural) consistently used across all docs and diagram
- ADR-011 clearly scopes acme_domain as previous design
- Inline decision rationale extracted: tls.md hot-reload → ADR-004 ref,
  config.md static/dynamic → ADR-008 ref
- TOML section headers consistent (server.tls)

docs/architecture/open-questions.md

@@ -21,8 +21,6 @@ last_updated: 2026-06-11
   than the current nginx config.
 - **Cross-references**: ADR-005
 
-## Logging and Monitoring
-
 ### ~~OQ-02: What log format should fail2ban consume?~~
 
 - **Origin**: [operations.md](operations.md), [proxy.md](proxy.md)
@@ -33,6 +31,22 @@ last_updated: 2026-06-11
   See ADR-007.
 - **Cross-references**: ADR-007
 
+### OQ-07: Should per-site TLS overrides be supported for mixed ACME/manual domains?
+
+- **Origin**: [tls.md](tls.md), [config.md](config.md)
+- **Status**: open
+- **Priority**: low
+- **Context**: Phase 1 uses a single TLS configuration (ACME or manual) for all
+  domains. All domains share the same ACME config and certificate. If a future
+  domain needs a manual certificate (e.g., a corporate CA cert) while other
+  domains use ACME, a per-site TLS override would be needed. This would require
+  a custom `ResolvesServerCert` that combines ACME-provisioned certs with
+  manually loaded certs. For now, all proxied domains use the same ACME config,
+  so this is not needed.
+- **Cross-references**: ADR-011
+
+## Logging and Monitoring
+
 ### OQ-03: Should the health check endpoint be on a separate port?
 
 - **Origin**: [operations.md](operations.md)
@@ -61,15 +75,15 @@ last_updated: 2026-06-11
 
 ## Deployment
 
-### OQ-05: Should the proxy bind to multiple addresses or just one?
+### ~~OQ-05: Should the proxy bind to multiple addresses or just one?~~
 
 - **Origin**: [overview.md](overview.md)
-- **Status**: open
+- **Status**: resolved
 - **Priority**: low
-- **Context**: Current nginx config binds to a specific IP (`15.235.125.95`).
-  The proposed config uses `bind_addr` which could be any IP. For Phase 1, the
-  config will specify a single IP address. Multi-address binding (listening on
-  multiple IPs) is not needed but could be added as an array of addresses.
+- **Resolution**: A single `bind_addr` is sufficient. The proxy binds to one
+  explicit IP address (not `0.0.0.0`). Multi-address binding is not needed for
+  this single-server deployment. If needed in the future, `bind_addr` could be
+  extended to an array. See config.md for the `bind_addr` field.
 - **Cross-references**: None
 
 ## Proxy