Security hardening, concurrency fixes, and expanded test coverage

This commit introduces a comprehensive set of improvements to enhance
the security, reliability, and configurability of the proxy server,
specifically targeting adversarial resilience and high-load concurrency.

Security & Cryptography:
- Zeroize MTProto cryptographic key material (`dec_key`, `enc_key`)
  immediately after use to prevent memory leakage on early returns.
- Move TLS handshake replay tracking after full policy/ALPN validation
  to prevent cache poisoning by unauthenticated probes.
- Add `proxy_protocol_trusted_cidrs` configuration to restrict PROXY
  protocol headers to trusted networks, rejecting spoofed IPs.

Adversarial Resilience & DoS Mitigation:
- Implement "Tiny Frame Debt" tracking in the middle-relay to prevent
  CPU exhaustion from malicious 0-byte or 1-byte frame floods.
- Add `mask_relay_max_bytes` to strictly bound unauthenticated fallback
  connections, preventing the proxy from being abused as an open relay.
- Add a 5ms prefetch window (`mask_classifier_prefetch_timeout_ms`) to
  correctly assemble and classify fragmented HTTP/1.1 and HTTP/2 probes
  (e.g., `PRI * HTTP/2.0`) before routing them to masking heuristics.
- Prevent recursive masking loops (FD exhaustion) by verifying the mask
  target is not the proxy's own listener via local interface enumeration.

Concurrency & Reliability:
- Eliminate executor waker storms during quota lock contention by replacing
  the spin-waker task with inline `Sleep` and exponential backoff.
- Roll back user quota reservations (`rollback_me2c_quota_reservation`)
  if a network write fails, preventing Head-of-Line (HoL) blocking from
  permanently burning data quotas.
- Recover gracefully from idle-registry `Mutex` poisoning instead of
  panicking, ensuring isolated thread failures do not break the proxy.
- Fix `auth_probe_scan_start_offset` modulo logic to ensure bounds safety.

Testing:
- Add extensive adversarial, timing, fuzzing, and invariant test suites
  for both the client and handshake modules.

src/proxy/tests/masking_interface_cache_security_tests.rs

@@ -0,0 +1,46 @@
+#![cfg(unix)]
+
+use super::*;
+use std::sync::{Mutex, OnceLock};
+
+fn interface_cache_test_lock() -> &'static Mutex<()> {
+    static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+    LOCK.get_or_init(|| Mutex::new(()))
+}
+
+#[test]
+fn tdd_repeated_local_listener_checks_do_not_repeat_interface_enumeration_within_window() {
+    let _guard = interface_cache_test_lock()
+        .lock()
+        .unwrap_or_else(|poison| poison.into_inner());
+    reset_local_interface_enumerations_for_tests();
+
+    let local_addr: SocketAddr = "0.0.0.0:443".parse().expect("valid local addr");
+
+    let _ = is_mask_target_local_listener("127.0.0.1", 443, local_addr, None);
+    let _ = is_mask_target_local_listener("127.0.0.1", 443, local_addr, None);
+
+    assert_eq!(
+        local_interface_enumerations_for_tests(),
+        1,
+        "interface enumeration must be cached across repeated bad-client checks"
+    );
+}
+
+#[test]
+fn tdd_non_local_port_short_circuit_does_not_enumerate_interfaces() {
+    let _guard = interface_cache_test_lock()
+        .lock()
+        .unwrap_or_else(|poison| poison.into_inner());
+    reset_local_interface_enumerations_for_tests();
+
+    let local_addr: SocketAddr = "0.0.0.0:443".parse().expect("valid local addr");
+    let is_local = is_mask_target_local_listener("127.0.0.1", 8443, local_addr, None);
+
+    assert!(!is_local, "different port must not be treated as local listener");
+    assert_eq!(
+        local_interface_enumerations_for_tests(),
+        0,
+        "port mismatch should bypass interface enumeration entirely"
+    );
+}