Refactor and enhance tests for proxy and relay functionality

- Renamed test functions in `client_tls_clienthello_truncation_adversarial_tests.rs` to remove "but_leaks" suffix for clarity.
- Added new tests in `direct_relay_business_logic_tests.rs` to validate business logic for data center resolution and scope hints.
- Introduced tests in `direct_relay_common_mistakes_tests.rs` to cover common mistakes in direct relay configurations.
- Added security tests in `direct_relay_security_tests.rs` to ensure proper handling of symlink and parent swap scenarios.
- Created `direct_relay_subtle_adversarial_tests.rs` to stress test concurrent logging and validate scope hint behavior.
- Implemented `relay_quota_lock_pressure_adversarial_tests.rs` to test quota lock behavior under high contention and stress.
- Updated `relay_security_tests.rs` to include quota lock contention tests ensuring proper behavior under concurrent access.
- Introduced `ip_tracker_hotpath_adversarial_tests.rs` to validate the performance and correctness of the IP tracking logic under various scenarios.

src/protocol/tests/tls_adversarial_tests.rs

@@ -307,9 +307,8 @@ fn extract_sni_with_duplicate_extensions_rejected() {
     h.extend_from_slice(&(handshake.len() as u16).to_be_bytes());
     h.extend_from_slice(&handshake);
     
-    // Parser might return first, see second, or fail. OWASP ASVS prefers rejection of unexpected dups.
-    // Telemt's `extract_sni` returns the first one found.
-    assert!(extract_sni_from_client_hello(&h).is_some()); 
+    // Duplicate SNI extensions are ambiguous and must fail closed.
+    assert!(extract_sni_from_client_hello(&h).is_none());
 }
 
 #[test]