Resolve 5 open questions, add 7 ADRs for previously undocumented decisions

Resolve open questions:
- OQ-01: Restrict cipher suites to match nginx scope (4 ECDHE-AES-GCM
  suites for TLS 1.2 + all TLS 1.3 suites) — ADR-012
- OQ-03: Health check on separate local port (default 9900, localhost
  only) — ADR-013
- OQ-04: Add Unix domain socket admin API for config reload alongside
  SIGHUP, with structured success/failure responses — ADR-014
- OQ-06: Per-site upstream timeouts with defaults (5s connect, 60s
  request), overridable in SiteConfig — ADR-015

Document previously undocumented decisions flagged by architecture review:
- ADR-016: Explicit bind address requirement (reject 0.0.0.0)
- ADR-017: Upstream connection defaults (HTTP/1.1, no redirects, pooling)
- ADR-018: 100 MB body size limit (matches nginx, Gitea compatibility)

OQ-07 (per-site TLS overrides) remains open for future consideration.

Spec updates:
- config.md: add health_check_port, admin_socket_path, per-site timeout
  fields, update TOML example and validation rules
- proxy.md: reference ADR-015/017/018 for timeouts, connection defaults,
  and body limit decisions
- tls.md: replace OQ-01 cipher suite section with ADR-012 decision
- operations.md: add local health check port section, admin socket reload
- overview.md: update Phase 1 scope with new features, add ADR references
- open-questions.md: resolve OQ-01/03/04/06, keep OQ-07 open

docs/architecture/tls.md

@@ -115,25 +115,26 @@ regression if defaults change in future rustls releases.
 
 ### Cipher Suites
 
-rustls 0.23 with the `aws_lc_rs` crypto provider defaults to a conservative
-cipher suite selection that excludes all weak ciphers (no SHA-1, no 3DES, no
-RC4, no CBC-mode suites, no RSA key exchange).
+Cipher suites are explicitly restricted to match the scope of our current nginx
+configuration. See ADR-012 for the full rationale.
 
-The current nginx config explicitly restricts to:
+**TLS 1.2 (explicitly selected):**
 
-```
-ECDHE-ECDSA-AES128-GCM-SHA256
-ECDHE-RSA-AES128-GCM-SHA256
-ECDHE-ECDSA-AES256-GCM-SHA384
-ECDHE-RSA-AES256-GCM-SHA384
-```
+- `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
+- `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
+- `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
+- `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
 
-rustls's defaults include these plus TLS 1.3 suites (which nginx's config
-also allows via `TLSv1.3`). The default rustls cipher list is a strict subset
-of what browsers accept.
+**TLS 1.3 (all default suites):**
 
-See [open-questions.md](open-questions.md) OQ-01 for whether to further
-restrict cipher suites beyond rustls defaults.
+- `TLS_AES_128_GCM_SHA256`
+- `TLS_AES_256_GCM_SHA384`
+- `TLS_CHACHA20_POLY1305_SHA256`
+
+This is configured by building a `CryptoProvider` with a custom `cipher_suite`
+list and passing it to `ServerConfig::builder_with_provider()`. The cipher
+list matches our current nginx configuration's scope, providing behavioral
+parity during migration.
 
 ### ServerConfig Construction
 
@@ -223,12 +224,13 @@ All design decisions are documented as ADRs in [decisions/](decisions/).
 | [005](decisions/005-tokio-rustls-direct.md) | tokio-rustls directly | Full control over TLS config and ACME resolver integration |
 | [010](decisions/010-multi-site-phase1.md) | Multi-site in Phase 1 | Multiple domains from initial release |
 | [011](decisions/011-multi-domain-tls.md) | Multi-domain TLS config | Single SAN certificate covering all domains via rustls-acme |
+| [012](decisions/012-cipher-suite-restriction.md) | Restrict cipher suites | Match nginx scope: four ECDHE-AES-GCM suites for TLS 1.2, all TLS 1.3 suites |
 
 ## Open Questions
 
 Open questions are tracked in [open-questions.md](open-questions.md). Key
 questions affecting this document:
 
-- **OQ-01**: Should cipher suites be restricted beyond rustls defaults? (open)
+- ~~**OQ-01**: Should cipher suites be restricted beyond rustls defaults?~~ (resolved — ADR-012: restrict to nginx scope)
 - **OQ-07**: Should per-site TLS overrides be supported for mixed ACME/manual
   domains? (open)