feat(caddy): add standard forwarding headers to every reverse_proxy

Every generated reverse_proxy block now emits header_up for
X-Forwarded-Proto, X-Real-IP and Host. Caddy already sets the X-Forwarded-*
family and Host by default; this makes them explicit and adds X-Real-IP
(nginx convention) for backends that expect it. The https:// transport block
is preserved alongside the headers.

ARCHITECTURE.md

@@ -463,8 +463,12 @@ Manual:  POST /api/semaphore/trigger/{bookingId}  body { type: 'setup'|'teardown
 ```
 buildCaddyfile():
   { local_certs }                          # global block
-  per custom route { [encode] [tls internal] reverse_proxy <upstream> }
-  upstream prefixed with https:// → reverse_proxy gets a
+  per custom route { [encode] [tls internal] reverse_proxy <upstream> { … } }
+  every reverse_proxy block carries standard forwarding headers:
+    header_up X-Forwarded-Proto {scheme}
+    header_up X-Real-IP {remote_host}
+    header_up Host {host}
+  upstream prefixed with https:// → block also gets a
     transport http { tls_insecure_skip_verify } block
     (for self-signed TLS backends like Semaphore)