Address review feedback on SNI-DNS check refactor

- Bound public-IP detection with a 10s timeout context. The HTTP
  fallback chain in getIP could otherwise block proxy startup
  indefinitely on slow endpoints; the old single DNS lookup could
  not. Plumbed via context through getIP/fetchPublicIP and added
  context.WithTimeout in warnSNIMismatch, checkSecretHost, and
  Access.Run.

- Emit a dedicated warning in warnSNIMismatch when the secret
  hostname resolves successfully but to zero addresses, mirroring
  the doctor's tplEDNSSNINoResolve branch instead of falling
  through to a mismatch warning with an empty resolved list.

- Allow configuring network.public-ip-endpoints (TOML) /
  publicIpEndpoints (JSON) so deployments can override the default
  list (ifconfig.co, icanhazip.com, ifconfig.me). The default is
  preserved when the option is omitted.

internal/cli/access.go

 package cli
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net"
 	"os"
 	"strconv"
 	"sync"
+	"time"
 
 	"github.com/9seconds/mtg/v2/internal/config"
 	"github.com/9seconds/mtg/v2/internal/utils"
 		return fmt.Errorf("cannot init network: %w", err)
 	}
 
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	endpoints := resolvePublicIPEndpoints(conf.Network.PublicIPEndpoints)
 	wg := &sync.WaitGroup{}
 
 	wg.Go(func() {
 			ip = conf.PublicIPv4.Get(nil)
 		}
 		if ip == nil {
-			ip = getIP(ntw, "tcp4")
+			ip = getIP(ctx, ntw, "tcp4", endpoints)
 		}
 
 		if ip != nil {
 			ip = conf.PublicIPv6.Get(nil)
 		}
 		if ip == nil {
-			ip = getIP(ntw, "tcp6")
+			ip = getIP(ctx, ntw, "tcp6", endpoints)
 		}
 
 		if ip != nil {

internal/cli/doctor.go

 }
 
 func (d *Doctor) checkSecretHost(resolver *net.Resolver, ntw mtglib.Network) bool {
-	res := runSNICheck(context.Background(), resolver, d.conf, ntw)
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	res := runSNICheck(ctx, resolver, d.conf, ntw)
 
 	if res.ResolveErr != nil {
 		tplError.Execute(os.Stdout, map[string]any{ //nolint: errcheck

internal/cli/run_proxy.go

 	"net"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/9seconds/mtg/v2/antireplay"
 	"github.com/9seconds/mtg/v2/events"
 		return
 	}
 
-	res := runSNICheck(context.Background(), net.DefaultResolver, conf, ntw)
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	res := runSNICheck(ctx, net.DefaultResolver, conf, ntw)
 
 	if res.ResolveErr != nil {
 		log.BindStr("hostname", res.Host).
 		return
 	}
 
+	if len(res.Resolved) == 0 {
+		log.BindStr("hostname", res.Host).
+			Warning("SNI-DNS check: secret hostname does not resolve to any address")
+		return
+	}
+
 	if res.OK() {
 		return
 	}

internal/cli/sni_check.go

 // runSNICheck resolves conf.Secret.Host and compares the result with the
 // server's public IPv4 and IPv6. Public IPs come from config first and fall
 // back to on-the-fly detection via ntw. IP detection for the two families
-// runs concurrently.
+// runs concurrently and honors ctx — callers should supply a deadline,
+// since the HTTP fallback can otherwise block startup indefinitely.
 func runSNICheck(ctx context.Context,
 	resolver *net.Resolver,
 	conf *config.Config,
 		res.Resolved = append(res.Resolved, a.IP)
 	}
 
+	endpoints := resolvePublicIPEndpoints(conf.Network.PublicIPEndpoints)
 	wg := sync.WaitGroup{}
 
 	wg.Go(func() {
 		res.OurIPv4 = conf.PublicIPv4.Get(nil)
 		if res.OurIPv4 == nil {
-			res.OurIPv4 = getIP(ntw, "tcp4")
+			res.OurIPv4 = getIP(ctx, ntw, "tcp4", endpoints)
 		}
 	})
 
 	wg.Go(func() {
 		res.OurIPv6 = conf.PublicIPv6.Get(nil)
 		if res.OurIPv6 == nil {
-			res.OurIPv6 = getIP(ntw, "tcp6")
+			res.OurIPv6 = getIP(ctx, ntw, "tcp6", endpoints)
 		}
 	})
 

internal/cli/utils.go

 	"strings"
 
 	"github.com/9seconds/mtg/v2/essentials"
+	"github.com/9seconds/mtg/v2/internal/config"
 	"github.com/9seconds/mtg/v2/mtglib"
 )
 
-// publicIPEndpoints are tried in order. Each must return the client's public
-// IP as a single address in the plain-text response body.
-var publicIPEndpoints = []string{
+// defaultPublicIPEndpoints is the fallback used when network.public-ip-endpoints
+// is not set in config. Each endpoint must return the client's public IP as a
+// single address in the plain-text response body.
+var defaultPublicIPEndpoints = []string{
 	"https://ifconfig.co",
 	"https://icanhazip.com",
 	"https://ifconfig.me",
 }
 
-func getIP(ntw mtglib.Network, protocol string) net.IP {
+// resolvePublicIPEndpoints returns the configured endpoint list, falling back
+// to defaultPublicIPEndpoints when none are configured.
+func resolvePublicIPEndpoints(configured []config.TypeHttpsURL) []string {
+	if len(configured) == 0 {
+		return defaultPublicIPEndpoints
+	}
+
+	out := make([]string, 0, len(configured))
+	for _, u := range configured {
+		if v := u.Get(nil); v != nil {
+			out = append(out, v.String())
+		}
+	}
+
+	if len(out) == 0 {
+		return defaultPublicIPEndpoints
+	}
+
+	return out
+}
+
+func getIP(ctx context.Context, ntw mtglib.Network, protocol string, endpoints []string) net.IP {
 	dialer := ntw.NativeDialer()
 	client := ntw.MakeHTTPClient(func(ctx context.Context, network, address string) (essentials.Conn, error) {
 		conn, err := dialer.DialContext(ctx, protocol, address)
 		return essentials.WrapNetConn(conn), err
 	})
 
-	for _, endpoint := range publicIPEndpoints {
-		if ip := fetchPublicIP(client, endpoint); ip != nil {
+	for _, endpoint := range endpoints {
+		if ip := fetchPublicIP(ctx, client, endpoint); ip != nil {
 			return ip
 		}
 	}
 	return nil
 }
 
-func fetchPublicIP(client *http.Client, endpoint string) net.IP {
-	req, err := http.NewRequest(http.MethodGet, endpoint, nil) //nolint: noctx
+func fetchPublicIP(ctx context.Context, client *http.Client, endpoint string) net.IP {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
 	if err != nil {
 		return nil
 	}

internal/config/config.go

 			Interval TypeDuration    `json:"interval"`
 			Count    TypeConcurrency `json:"count"`
 		} `json:"keepAlive"`
-		DOHIP   TypeIP         `json:"dohIp"`
-		DNS     TypeDNSURI     `json:"dns"`
-		Proxies []TypeProxyURL `json:"proxies"`
+		DOHIP             TypeIP         `json:"dohIp"`
+		DNS               TypeDNSURI     `json:"dns"`
+		Proxies           []TypeProxyURL `json:"proxies"`
+		PublicIPEndpoints []TypeHttpsURL `json:"publicIpEndpoints"`
 	} `json:"network"`
 	Stats struct {
 		StatsD struct {

internal/config/parse.go

 			Interval string `toml:"interval" json:"interval,omitempty"`
 			Count    uint   `toml:"count" json:"count,omitempty"`
 		} `toml:"keep-alive" json:"keepAlive,omitempty"`
-		DOHIP   string   `toml:"doh-ip" json:"dohIp,omitempty"`
-		DNS     string   `toml:"dns" json:"dns,omitempty"`
-		Proxies []string `toml:"proxies" json:"proxies,omitempty"`
+		DOHIP             string   `toml:"doh-ip" json:"dohIp,omitempty"`
+		DNS               string   `toml:"dns" json:"dns,omitempty"`
+		Proxies           []string `toml:"proxies" json:"proxies,omitempty"`
+		PublicIPEndpoints []string `toml:"public-ip-endpoints" json:"publicIpEndpoints,omitempty"`
 	} `toml:"network" json:"network,omitempty"`
 	Stats struct {
 		StatsD struct {