feat(entrypoint): add inbound mTLS profiles for HTTPS (#220)

Introduce reusable `inbound_mtls_profiles` in root config and support
`entrypoint.inbound_mtls_profile` to require client certificates for all
HTTPS traffic on an entrypoint. Profiles can trust the system CA store,
custom PEM CA files, or both, and are compiled into TLS client-auth
pools during entrypoint initialization.

Also add route-scoped `inbound_mtls_profile` support for HTTP-based
routes when no global entrypoint profile is configured. Route-level mTLS
selection is driven by TLS SNI, preserves existing behavior for open and
unmatched hosts, and returns the intended 421 response when secure
requests omit SNI or when Host and SNI resolve to different routes.

Add validation for missing profile references and unsupported non-HTTP
route usage, update config and route documentation/examples, expand
inbound mTLS handshake and routing regression coverage, and bump
`goutils` for HTTPS listener test support.

internal/config/README.md

@@ -30,6 +30,7 @@ type Config struct {
     ACL             *acl.Config
     AutoCert        *autocert.Config
     Entrypoint      entrypoint.Config
+    InboundMTLSProfiles map[string]types.InboundMTLSProfile
     Providers       Providers
     MatchDomains    []string
     Homepage        homepage.Config
@@ -71,6 +72,8 @@ type State interface {
 }
 ```
 
+`StartAPIServers` starts the authenticated API from `common.APIHTTPAddr` and, when `LOCAL_API_ADDR` is set, an additional **unauthenticated** local listener from `common.LocalAPIHTTPAddr`. That address is validated for loopback binds (with optional DNS resolution); non-loopback requires `LOCAL_API_ALLOW_NON_LOOPBACK` and logs a warning. See [`internal/api/v1/README.md`](../api/v1/README.md#configuration-surface).
+
 ### Exported functions
 
 ```go