Custom Domains via Caddy reverse proxy [DONE] `PL-T232`

When a tenant adds a custom domain, the API creates a CmsDomain document and calls the Cloudflare Custom Hostnames API to register the hostname against the platform's SaaS zone. Cloudflare returns DNS instructions: a CNAME pointing the customer hostname at `*.web.petanque.life` and a TXT record for ownership proof. The admin UI presents these in copy-ready boxes with a one-click copy button so non-technical editors can hand them to their registrar without confusion.

Status flows through a state machine: `pending` (just created, waiting for DNS) → `pending_validation` (CNAME and TXT detected, awaiting Cloudflare's validation) → `active` (certificate issued, traffic flowing). A reconciliation job polls the Cloudflare API every five minutes for any domain not in a terminal state, updates local status, and marks domains as `failed` after a 72-hour timeout so stale entries don't accumulate. Cloudflare handles certificate issuance via free DV certs and automatic renewal — the platform never touches private keys.

The renderer's middleware looks up the incoming Host header against the CmsDomain collection, resolves it to a CmsSite, and serves the right tenant's content; the same site can have multiple custom domains plus its platform subdomain pointing at the same content. The wildcard `*.web.petanque.life` fallback works without any Cloudflare registration, so a freshly created site is reachable instantly while the editor optionally configures a custom domain. Admin can remove a domain at any time; the system deletes the Cloudflare hostname and the next request to that domain falls back to the platform subdomain.

Audit trail captures every domain action — registration, validation, removal — for security and compliance review.