feat(relay): autocert TLS for --domain mode (#9)

[ilmoniemi]

Summary

• Wire cmd/pyrycode-relay/main.go autocert path: :443 (WSS via manager.TLSConfig) and :80 (ACME http-01 via mgr.HTTPHandler(http.NotFoundHandler()) — explicit 404, not 302) with the same timeouts as the insecure path.
• New internal/relay/tls.go exports NewAutocertManager, EnforceHost (returns 421 Misdirected Request on Host mismatch), TLSConfig (pins MinVersion = TLS 1.2), and the sentinel ErrCacheDirInsecure.
• Cache dir is created 0700 if missing and rejected (ErrCacheDirInsecure) if an existing dir is group/world-readable — stricter than the AC's "no-op on existing" wording, justified in the spec's security review (TLS keys live there).
• Adds golang.org/x/crypto/acme/autocert to go.mod (first non-stdlib dep). README's Run section updated with the production command, ACME caveat, and cache-mode note.

Issue

Closes #9.

Testing

• internal/relay/tls_test.go covers cache-dir creation (0700), no-op on existing secure dir, rejection of insecure dir, non-directory path, missing args, HostPolicy accept/reject (case-mismatch + suffix attack), EnforceHost table (port-tolerant, case-insensitive, 421 on mismatch with no body and next not invoked), and TLSConfig MinVersion pinning.
• go test -race ./... ✅
• go vet ./... ✅
• go build ./cmd/pyrycode-relay ✅
• Real ACME issuance and :443/:80 listener startup are deliberately not tested (per spec — verified manually on first deploy).

Architecture compliance

• Public surface, error handling, host-policy semantics, file layout, and MinVersion pinning follow docs/specs/architecture/9-autocert-tls.md exactly.
• Honoured the spec's departure from the AC literal wording: passes http.NotFoundHandler() to mgr.HTTPHandler (not nil) so non-challenge :80 traffic gets 404 instead of autocert's default 302 redirect — matches the AC's stated intent of explicit-failure semantics. Inline comment in main.go notes the rationale.
• Single domain only (HostWhitelist(*domain)); no graceful shutdown, no multi-domain, no --acme-email, no metrics — all explicitly out of scope.

🤖 Generated with Claude Code

[ilmoniemi]

Code Review: #9

Decision: PASS

Findings

• [NIT] internal/relay/tls.go:73 — EnforceHost could include Connection: close on the 421 response so a misdirected client doesn't keep the connection alive trying again. Not required by the spec; leaving as-is is fine.
• [NIT] cmd/pyrycode-relay/main.go:114 — defaultCertCache() uses string concatenation for path joining (home + "/.pyrycode-relay/certs"). Pre-existing code, out of scope, but filepath.Join would be more idiomatic if touched later.

Summary

Clean implementation that matches the spec verbatim. The http.NotFoundHandler() choice over nil is correct — the spec note about autocert.HTTPHandler(nil) 302-redirecting GET/HEAD is accurate, and the AC's "explicit failure" intent is honored.

Verified:

• go vet ./... clean
• go test -race ./... passes
• go build ./... succeeds
• Stricter-than-AC dir-mode policy (ErrCacheDirInsecure) is documented and tested.
• EnforceHost correctly handles port-tolerant, case-insensitive matching; subtests are race-safe under Go 1.22+ loop semantics (go.mod is 1.26.2).
• TLSConfig mutates a fresh *tls.Config each call (autocert returns a new one), so no aliasing concern.
• Two-goroutine startup with os.Exit(1) on listener failure mirrors the insecure path; no shared mutable state.
• autocert.Manager.HTTPHandler still routes /.well-known/acme-challenge/* to itself when given a non-nil fallback — challenge handling preserved.
• Security-review section is present in docs/specs/architecture/9-autocert-tls.md with a PASS verdict and explicit findings list, satisfying the security-sensitive label requirement.

Ready to merge.