Add PROXY protocol v1/v2 support for multi-hop deployments

New internal/proxyproto package implements PROXY protocol parsing and
writing without buffering past the header boundary (reads exact byte
counts so the connection is correctly positioned for SNI extraction).

Parser: auto-detects v1 (text) and v2 (binary) by first byte. Parses
TCP4/TCP6 for both versions plus v2 LOCAL command. Enforces max header
sizes and read deadlines.

Writer: generates v2 binary headers for IPv4 and IPv6 with PROXY
command.

Server integration:
- Receive: when listener.ProxyProtocol is true, parses PROXY header
  before firewall check. Real client IP from header is used for
  firewall evaluation and logging. Malformed headers cause RST.
- Send: when route.SendProxyProtocol is true, writes PROXY v2 header
  to backend before forwarding the ClientHello bytes.

Tests cover v1/v2 parsing, malformed rejection, timeout, round-trip
write+parse, and five server integration tests: receive with valid
header, receive with garbage, send verification, send-disabled
verification, and firewall evaluation using the real client IP.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

PROGRESS.md

@@ -21,10 +21,10 @@ proceeds. Each item is marked:
 
 ## Phase 2: PROXY Protocol
 
-- [ ] 2.1 `internal/proxyproto/` package (v1/v2 parser, v2 writer)
-- [ ] 2.2 Server integration — receive (parse PROXY header before firewall on enabled listeners)
-- [ ] 2.3 Server integration — send on L4 (write PROXY v2 header before ClientHello on enabled routes)
-- [ ] 2.4 Tests (receive, send, firewall uses real IP, malformed header rejection)
+- [x] 2.1 `internal/proxyproto/` package (v1/v2 parser, v2 writer)
+- [x] 2.2 Server integration — receive (parse PROXY header before firewall on enabled listeners)
+- [x] 2.3 Server integration — send on L4 (write PROXY v2 header before ClientHello on enabled routes)
+- [x] 2.4 Tests (receive, send, firewall uses real IP, malformed header rejection)
 
 ## Phase 3: L7 Proxying