Security and Code Review Todos

This pass

Use real trust roots for HTTPS upstream certificate verification unless tls-skip-verify is explicitly enabled.
Avoid buffering reverse-proxy request bodies when retries are disabled.
Block CGI script resolution outside the configured CGI root and add focused tests.
Harden template include path resolution so configured roots cannot be escaped, and preserve UTF-8 while scanning templates.
Bound admin API JSON request bodies to prevent unbounded memory growth.
Add focused documentation for HTTPS upstream verification and admin API token exposure.

Dynamic DNS/SRV upstreams are parsed and documented, but the current UpstreamPool selection path is static. This needs a separate design that reconciles dynamic backend snapshots with health checks, connection counters, weighted policies, and retries.