feat(fix/tls-mode-wildcard-mismatch): remove unreachable TlsMode wildcard arm and add count mismatch check

Removed #[non_exhaustive] from TlsMode and the wildcard _ arm in the
match tls_mode block in main.rs. Since setup_tls already rejects unknown
modes with bail!, the wildcard was unreachable dead code. Removing it
ensures the compiler catches future TlsMode variant additions. Added
defense-in-depth count mismatch check after the acceptor loop to catch
any silent listener/acceptor mismatch from zip truncation.

src/main.rs

@@ -184,14 +184,16 @@ async fn run_server(loaded_config: cli::LoadedConfig, config_path: &str) -> Resu
                     "ACME TLS configured"
                 );
             }
-            _ => {
-                warn!(
-                    addr = %listener_config.bind_addr,
-                    "unsupported TLS mode"
+        }
+    }
+
+    if bound_listeners.len() != tls_acceptors.len() {
+        anyhow::bail!(
+            "listener/acceptor count mismatch: {} listeners, {} acceptors",
+            bound_listeners.len(),
+            tls_acceptors.len()
         );
     }
-        }
-    }
 
     let _eviction_handle = start_eviction_task(
         rate_limiter.clone(),

src/tls/acceptor.rs

@@ -31,7 +31,6 @@ fn build_acme_server_config(
 }
 
 #[derive(Debug)]
-#[non_exhaustive]
 pub enum TlsMode {
     Manual(Arc<ServerConfig>),
     Acme {