Fix three doc-vs-implementation gaps found during audit

1. DB migration: add CHECK(mode IN ('l4', 'l7')) constraint on the
   routes.mode column. ARCHITECTURE.md documented this constraint but
   migration v2 omitted it. Enforces mode validity at the database
   level in addition to application-level validation.

2. L7 reverse proxy: distinguish timeout errors from connection errors
   in the ErrorHandler. Backend timeouts now return HTTP 504 Gateway
   Timeout instead of 502. Uses errors.Is(context.DeadlineExceeded)
   and net.Error.Timeout() detection. Added isTimeoutError unit tests.

3. Config validation: warn when L4 routes have tls_cert or tls_key set
   (they are silently ignored). ARCHITECTURE.md documented this warning
   but config.validate() did not emit it. Uses slog.Warn.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/l7/serve_test.go

@@ -311,6 +311,31 @@ func TestL7BackendUnreachable(t *testing.T) {
 	}
 }
 
+func TestIsTimeoutError(t *testing.T) {
+	// context.DeadlineExceeded is a timeout.
+	if !isTimeoutError(context.DeadlineExceeded) {
+		t.Fatal("expected DeadlineExceeded to be a timeout error")
+	}
+
+	// A net timeout error is a timeout.
+	netErr := &net.OpError{Op: "dial", Err: &timeoutErr{}}
+	if !isTimeoutError(netErr) {
+		t.Fatal("expected net timeout to be a timeout error")
+	}
+
+	// A regular error is not a timeout.
+	if isTimeoutError(fmt.Errorf("connection refused")) {
+		t.Fatal("expected non-timeout error to return false")
+	}
+}
+
+// timeoutErr implements net.Error with Timeout() = true.
+type timeoutErr struct{}
+
+func (e *timeoutErr) Error() string   { return "timeout" }
+func (e *timeoutErr) Timeout() bool   { return true }
+func (e *timeoutErr) Temporary() bool { return false }
+
 func TestL7MultipleRequests(t *testing.T) {
 	certPath, keyPath := testCert(t, "multi.test")