Fix/http proxy auth

[hugeagi]

Summary

Fix HTTP proxy auth challenge compatibility by writing the 407 response in a single buffered write.

Root Cause

Some clients fail auth-challenge flow when the 407 response headers are emitted via fragmented writes. They do not reliably retry with Proxy-Authorization on the same connection in that case.

What Changed

• In HandleConnectionEx, changed the auth-failure path from direct response write to buffered write:
  • from: responseWith(...).Write(conn)
  • to: writeResponseBuffered(conn, responseWith(...))
• Added writeResponseBuffered(conn, response) helper:
  • serializes response into bytes.Buffer
  • performs one conn.Write with full payload
  • returns io.ErrShortWrite on partial write
• Improved error context on 407 write failure:
  • wraps with "write proxy authentication required response"

Scope

• Protocol behavior and auth semantics are unchanged.
• This PR only changes wire emission pattern for 407 auth challenge response.

Validation

• Integration compile validation in consumer (sing-box) with local replace:
  • go test ./protocol/http ./protocol/mixed passed in sing-box
• Local go test ./protocol/http in this branch is currently blocked by pre-existing test/API drift (HTTPServerOptions / HandleConnectionExWithOptions symbols missing), unrelated to this patch.

Notes

• This is the upstream fix for the observed 407 challenge compatibility issue.