feat: replace HTTP health check with TLS handshake

Replace _http_check (HTTP GET to httpbin.org) with _tls_check that
performs a TLS handshake through the proxy chain. Multiple targets
(google, cloudflare, amazon) rotated round-robin eliminate the single
point of failure. Lighter, faster, harder to block than HTTP.

- Add test_targets config field (replaces test_url)
- Backward compat: legacy test_url extracts hostname automatically
- Add ssl.create_default_context() and round-robin index to ProxyPool
- Update docs (example.yaml, USAGE.md, CHEATSHEET.md)

config/example.yaml

@@ -31,7 +31,10 @@ chain:
 #     - file: /etc/s5p/proxies.txt  # text file, one proxy URL per line
 #   refresh: 300             # re-fetch sources interval (seconds)
 #   test_interval: 120       # health test cycle interval (seconds)
-#   test_url: http://httpbin.org/ip  # URL for health checks
+#   test_targets:                    # TLS handshake targets (round-robin)
+#     - www.google.com
+#     - www.cloudflare.com
+#     - www.amazon.com
 #   test_timeout: 15         # per-test timeout (seconds)
 #   test_concurrency: 5      # parallel health tests
 #   max_fails: 3             # consecutive fails before eviction