Initial implementation of mc-proxy

Layer 4 TLS SNI proxy with global firewall (IP/CIDR/GeoIP blocking),
per-listener route tables, bidirectional TCP relay with half-close
propagation, and a gRPC admin API (routes, firewall, status) with
TLS/mTLS support.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

mc-proxy.toml.example

@@ -0,0 +1,51 @@
+# mc-proxy configuration
+
+# Listeners. Each listener binds a TCP port and has its own route table.
+[[listeners]]
+addr = ":443"
+
+  [[listeners.routes]]
+  hostname = "metacrypt.metacircular.net"
+  backend  = "127.0.0.1:18443"
+
+  [[listeners.routes]]
+  hostname = "mcias.metacircular.net"
+  backend  = "127.0.0.1:28443"
+
+[[listeners]]
+addr = ":8443"
+
+  [[listeners.routes]]
+  hostname = "metacrypt.metacircular.net"
+  backend  = "127.0.0.1:18443"
+
+[[listeners]]
+addr = ":9443"
+
+  [[listeners.routes]]
+  hostname = "mcias.metacircular.net"
+  backend  = "127.0.0.1:28443"
+
+# gRPC admin API. Optional — omit addr to disable.
+[grpc]
+addr      = "127.0.0.1:9090"
+tls_cert  = "/srv/mc-proxy/certs/cert.pem"
+tls_key   = "/srv/mc-proxy/certs/key.pem"
+client_ca = "/srv/mc-proxy/certs/ca.pem"    # mTLS; omit to disable client auth
+
+# Firewall. Global blocklist, evaluated before routing. Default allow.
+[firewall]
+geoip_db          = "/srv/mc-proxy/GeoLite2-Country.mmdb"
+blocked_ips       = []
+blocked_cidrs     = []
+blocked_countries = ["KP", "CN", "IN", "IL"]
+
+# Proxy behavior.
+[proxy]
+connect_timeout  = "5s"
+idle_timeout     = "300s"
+shutdown_timeout = "30s"
+
+# Logging.
+[log]
+level = "info"