Add multi-secret inbound auth and per-user proxy links

[Copilot]

Users running the proxy on OpenWRT needed per-user credentials instead of a single shared secret. This change allows configuring multiple inbound secrets and using distinct tg://proxy links per user while preserving existing single-secret behavior.

• Config: multiple secrets for one instance

  • --secret now accepts multiple values (repeatable flag and comma-separated env input).
  • Config now stores secrets: Vec<String> and keeps a primary-secret helper for existing flows.

• Auth path: accept any configured secret

  • Inbound MTProto handshake validation now tries all configured secrets.
  • Inbound FakeTLS digest validation likewise matches against all configured secrets and responds with the matched one.

• Link generation: per-user credentials output

  • Startup output keeps the primary link and adds additional tg://proxy links for extra configured secrets.
  • Secret formatting logic is centralized via link_secret_for(secret) to avoid duplication and keep FakeTLS/non-FakeTLS link encoding consistent.

• Docs and tests

  • README updated to document repeatable/comma-separated --secret usage for per-user credentials.
  • Added config test coverage for multi-secret parsing and primary-secret link behavior.

tg-ws-proxy --host 0.0.0.0 --port 443 \
  --secret 11111111111111111111111111111111 \
  --secret 22222222222222222222222222222222

This configuration accepts both secrets on inbound connections and emits separate tg://proxy links for each user credential.