feat(entrypoint): add inbound mTLS profiles for HTTPS

Add root-level inbound_mtls_profiles combining optional system CAs with PEM
CA files, and entrypoint.inbound_mtls_profile to require client certificates
on every HTTPS connection. Route-level inbound_mtls_profile is allowed only
without a global profile; per-handshake TLS picks ClientCAs from SNI, and
requests fail with 421 when Host and SNI would select different mTLS routes.

Compile pools at init (SetInboundMTLSProfiles from state.initEntrypoint) and
reject unknown profile refs or mixed global-plus-route configuration.

Extend config.example.yml and package READMEs; add entrypoint and config
tests for TLS mutation, handshakes, and validation.

internal/route/README.md

@@ -42,6 +42,7 @@ type Route struct {
 
     // Route rules and middleware
     HTTPConfig
+    InboundMTLSProfile string
     PathPatterns []string
     Rules        rules.Rules
     RuleFile     string
@@ -61,6 +62,24 @@ type Route struct {
 }
 ```
 
+`InboundMTLSProfile` references a named root-level inbound mTLS profile for this route.
+
+- It is only honored when no global `entrypoint.inbound_mtls_profile` is configured.
+- It is only valid for HTTP-based routes.
+- Route-scoped inbound mTLS is selected by TLS SNI.
+- Requests for secured routes must resolve to the same route by both HTTP `Host` and TLS SNI.
+- If the profile name does not exist, route validation fails.
+
+Example route fragment:
+
+```yaml
+alias: secure-api
+host: api.example.com
+scheme: https
+port: 443
+inbound_mtls_profile: corp-clients
+```
+
 ```go
 type Scheme string