Decompose implementation review fixes into 14 atomic tasks with post-fix review

Break down findings from review #002 into dependency-ordered fix tasks:

Critical/High:
- fix/acme-contact-and-challenge (C1+C2): Add acme_contact field, wire to
  ACME, remove unused challenge_config, add validation rule 19
- fix/remove-health-and-hardcode-https (W5+W14+ADR-022): Remove /health
  from main listener, hardcode X-Forwarded-Proto to https
- fix/config-reload-static-drift (C4): Use ArcSwap<StaticConfig> so reload
  diffs against last config, not startup config
- fix/access-logging (W13): Wire up log_request! macro for every proxied
  request with client_ip, host, method, path, status, upstream, duration_ms

Medium:
- fix/graceful-shutdown (W1+W7): Join HTTPS tasks with timeout instead of
  abort, add shutdown signal to admin socket and eviction task
- fix/connect-timeout (W4): Wire upstream_connect_timeout_secs to enforce
  separate connect timeout

Low/Independent:
- fix/token-bucket-nanosecond (W6): Use as_nanos() instead of as_millis()
- fix/normalize-host-ipv6 (S3): Handle IPv6 bracket notation in normalize_host
- fix/http-port-validation (S1): Validate http_port in range 0 or 1-65535
- fix/integration-test-toml (S10): Fix double-nested listeners.listeners.sites
- fix/logging-test-global-subscriber (W9): Use try_init() to avoid test conflicts
- fix/fragile-error-detection (W3): Add typed error matching or documented string match
- fix/add-code-comments (C3,W8,W10,W11,S9): Document correct-but-non-obvious behaviors
- fix/request-timeout-scope (S8): Document full-request timeout scope
- fix/clean-dead-code (S4+S2): Remove dead_code annotations, add #[non_exhaustive]

Review gate:
- review/post-fix-review: Verify all fixes against architecture spec

tasks/fix/fragile-error-detection.md

@@ -0,0 +1,51 @@
+---
+id: fix/fragile-error-detection
+name: Replace fragile string matching for incomplete message error detection
+status: pending
+depends_on: []
+scope: single
+risk: low
+impact: isolated
+level: implementation
+review_findings: [W3]
+---
+
+## Description
+
+In `src/server.rs:95-97`, the check `e.to_string().contains("incomplete message")` silently suppresses connection errors by matching on the error description string. This is fragile — it can break across hyper versions, locale changes, or error message reformatting.
+
+### Changes Required
+
+**`src/server.rs`**:
+- Check if hyper exposes a typed error variant for client-disconnect errors. If `hyper::Error::is_incomplete_message()` exists or a similar method is available, use that instead of string matching.
+- If no typed variant exists, add a clear comment explaining why string matching is used and which version(s) of hyper produce this message:
+  ```rust
+  // Client disconnected before completing the request. hyper returns
+  // "incomplete message" errors for this case, which we suppress since
+  // it's not an error condition from the proxy's perspective. This is
+  // checked via string matching because hyper doesn't expose a typed
+  // variant for this error. Verified with hyper v1.x.
+  if e.to_string().contains("incomplete message") {
+      return;
+  }
+  ```
+
+## Acceptance Criteria
+
+- [ ] Error detection uses typed matching if available in hyper's API
+- [ ] If string matching is kept, a comment documents why and which hyper version produces the message
+- [ ] Existing connection error suppression still works
+- [ ] `cargo clippy` passes with no warnings
+
+## References
+
+- docs/reviews/002-implementation-review.md — W3 finding
+- src/server.rs — connection error handling
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion