Security hardening, concurrency fixes, and expanded test coverage

This commit introduces a comprehensive set of improvements to enhance
the security, reliability, and configurability of the proxy server,
specifically targeting adversarial resilience and high-load concurrency.

Security & Cryptography:
- Zeroize MTProto cryptographic key material (`dec_key`, `enc_key`)
  immediately after use to prevent memory leakage on early returns.
- Move TLS handshake replay tracking after full policy/ALPN validation
  to prevent cache poisoning by unauthenticated probes.
- Add `proxy_protocol_trusted_cidrs` configuration to restrict PROXY
  protocol headers to trusted networks, rejecting spoofed IPs.

Adversarial Resilience & DoS Mitigation:
- Implement "Tiny Frame Debt" tracking in the middle-relay to prevent
  CPU exhaustion from malicious 0-byte or 1-byte frame floods.
- Add `mask_relay_max_bytes` to strictly bound unauthenticated fallback
  connections, preventing the proxy from being abused as an open relay.
- Add a 5ms prefetch window (`mask_classifier_prefetch_timeout_ms`) to
  correctly assemble and classify fragmented HTTP/1.1 and HTTP/2 probes
  (e.g., `PRI * HTTP/2.0`) before routing them to masking heuristics.
- Prevent recursive masking loops (FD exhaustion) by verifying the mask
  target is not the proxy's own listener via local interface enumeration.

Concurrency & Reliability:
- Eliminate executor waker storms during quota lock contention by replacing
  the spin-waker task with inline `Sleep` and exponential backoff.
- Roll back user quota reservations (`rollback_me2c_quota_reservation`)
  if a network write fails, preventing Head-of-Line (HoL) blocking from
  permanently burning data quotas.
- Recover gracefully from idle-registry `Mutex` poisoning instead of
  panicking, ensuring isolated thread failures do not break the proxy.
- Fix `auth_probe_scan_start_offset` modulo logic to ensure bounds safety.

Testing:
- Add extensive adversarial, timing, fuzzing, and invariant test suites
  for both the client and handshake modules.

src/proxy/tests/masking_consume_stress_adversarial_tests.rs

@@ -0,0 +1,64 @@
+use super::*;
+use std::pin::Pin;
+use std::task::{Context, Poll};
+use std::time::Instant;
+use tokio::io::{AsyncRead, ReadBuf};
+use tokio::task::JoinSet;
+
+struct OneByteThenStall {
+    sent: bool,
+}
+
+impl AsyncRead for OneByteThenStall {
+    fn poll_read(
+        mut self: Pin<&mut Self>,
+        _cx: &mut Context<'_>,
+        buf: &mut ReadBuf<'_>,
+    ) -> Poll<std::io::Result<()>> {
+        if !self.sent {
+            self.sent = true;
+            buf.put_slice(&[0xAA]);
+            Poll::Ready(Ok(()))
+        } else {
+            Poll::Pending
+        }
+    }
+}
+
+#[tokio::test]
+async fn consume_stall_stress_finishes_within_idle_budget() {
+    let mut set = JoinSet::new();
+    let started = Instant::now();
+
+    for _ in 0..64 {
+        set.spawn(async {
+            tokio::time::timeout(
+                MASK_RELAY_TIMEOUT,
+                consume_client_data(OneByteThenStall { sent: false }, usize::MAX),
+            )
+            .await
+            .expect("consume_client_data exceeded relay timeout under stall load");
+        });
+    }
+
+    while let Some(res) = set.join_next().await {
+        res.unwrap();
+    }
+
+    // Under test constants idle=100ms, relay=200ms. 64 concurrent tasks stalling
+    // for 100ms should complete well under a strict 600ms boundary.
+    assert!(
+        started.elapsed() < MASK_RELAY_TIMEOUT * 3,
+        "stall stress batch completed too slowly; possible async executor starvation or head-of-line blocking"
+    );
+}
+
+#[tokio::test]
+async fn consume_zero_cap_returns_immediately() {
+    let started = Instant::now();
+    consume_client_data(tokio::io::empty(), 0).await;
+    assert!(
+        started.elapsed() < MASK_RELAY_IDLE_TIMEOUT,
+        "zero byte cap must return immediately"
+    );
+}