docs: update architecture docs for production hardening changes

[persimmon16]

Summary

• Updates architecture/gateway.md with graceful shutdown, database pool timeouts, TLS hardening, configurable pool size, sandbox watcher improvements, and grpc module split
• Updates architecture/gateway-security.md with certificate validity periods and TLS handshake timeout
• Updates architecture/sandbox.md with background task lifecycle and watcher hardening details

Related Issue

Production readiness audit: documentation must reflect all architecture changes from the hardening PRs.

Changes

• architecture/gateway.md: 6 new subsections covering shutdown, pools, TLS, watcher, broadcast buffer, grpc split
• architecture/gateway-security.md: Updated PKI validity, added TLS timeout, updated residual risks
• architecture/sandbox.md: Added background task lifecycle and watcher hardening sections

Testing

• Documentation only — no code changes

Checklist

• Conventional commit format
• No secrets committed
• Scoped to the issue at hand

[github-actions]

Thank you for your interest in contributing to OpenShell, @persimmon16.

This project uses a vouch system for first-time contributors. Before submitting a pull request, you need to be vouched by a maintainer.

To get vouched:

1. Open a Vouch Request discussion.
2. Describe what you want to change and why.
3. Write in your own words — do not have an AI generate the request.
4. A maintainer will comment /vouch if approved.
5. Once vouched, open a new PR (preferred) or reopen this one after a few minutes.

See CONTRIBUTING.md for details.

[github-actions]

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

---

I have read the DCO document and I hereby sign the DCO.

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.}