Address review comments: naming, enforcement model, API, restructure

- Adopt two-tier naming: 'mTLS domain' (Part 1, BOSH-scoped mutual
  auth) and 'identity-aware domain' (Part 2, enforce-access-rules).
  RFC title changed to 'Identity-Aware Routing for GoRouter'.
- Rename BOSH property mtls_domains -> router.domains (name: key).
- Replace all example domains with apps.identity community convention.
- Move enforcement to creation time: --enforce-access-rules and --scope
  flags on cf create-shared-domain / cf create-private-domain, immutable
  after creation. Remove cf enable/disable-domain-access-rules entirely.
- Add --path flag to all three developer CLI commands.
- Add cascade delete behaviour and metadata (labels + annotations) to
  access rule resource and all API examples.
- Expand API endpoints table: GET /v3/access_rules/:guid, POST and PATCH
  /v3/access_rules. Add full request/response appendix examples.
- Clarify selector_resource_guids as opaque text-match filter; stale
  detection is caller responsibility, not CC's.
- Add explicit note that selector GUIDs are not validated at creation
  time (destination-controlled, public identity model).
- Remove invalid cf:any + cf:app combined example.
- Clarify cf:any mutual exclusivity in prose.
- Convert all bold (**) section labels to proper markdown headings.
- Restructure Part 2 into operator and developer user stories:
  Operator Setup, Operator Scope, Layered Authorization,
  Developer Access Rules, Access Rules API (main body).
  Move implementation details to new appendix sections:
  Scope Evaluation and Shared Routes, Identity Extraction,
  Access Rules API Reference, Namespace Reservation,
  Internal Implementation.

Author: rkoster