doc: rename the goals section to be more clear

internal/enginenetx/DESIGN.md

@@ -3,7 +3,27 @@
 This file documents the [./internal/enginenetx](.) package design. The content is current
 as of [probe-cli#1552](https://github.com/ooni/probe-cli/pull/1552).
 
-## Design Goals
+## Table of Contents
+
+- [Goals & Assumptions](#goals--assumptions)
+- [High-Level API](#high-level-api)
+- [Creating TLS Connections](#creating-tls-connections)
+- [Dialing Tactics](#dialing-tactics)
+- [Dialing Algorithm](#dialing-algorithm)
+- [Dialing Policies](#dialing-policies)
+	- [dnsPolicy](#dnspolicy)
+	- [userPolicy](#userpolicy)
+	- [statsPolicy](#statspolicy)
+	- [bridgePolicy](#bridgepolicy)
+- [Overall Algorithm](#overall-algorithm)
+- [Managing Stats](#managing-stats)
+- [Real-World Scenarios](#real-world-scenarios)
+	- [Invalid bridge without cached data](#invalid-bridge-without-cached-data)
+	- [Invalid bridge with cached data](#invalid-bridge-with-cached-data)
+	- [Valid bridge with invalid cached data](#valid-bridge-with-invalid-cached-data)
+- [Limitations and Future Work](#limitations-and-future-work)
+
+## Goals & Assumptions
 
 We define "bridge" an IP address with the following properties:
 
@@ -102,7 +122,7 @@ we implemented strict falling back.)
 
 Also, when using a proxy, we just use `dnsPolicy` assuming the proxy knows how to do circumvention.
 
-## Instructions For Dialing
+## Dialing Tactics
 
 Each policy implements the following interface (defined in [httpsdialer.go](httpsdialer.go)):
 
@@ -170,7 +190,7 @@ SNI over the network and then verify the certificate using the real SNI after a
 `skipVerify=true` TLS handshake has completed. (Obviously, for this trick to work,
 the HTTPS server we're using must be okay with receiving unrelated SNIs.)
 
-## HTTPS Dialer
+## Dialing Algorithm
 
 Creating TLS connections is implemented by `(*httpsDialer).DialTLSContext`, also
 part of [httpsdialer.go](httpsdialer.go).
@@ -311,7 +331,9 @@ type httpsDialerEventsHandler interface {
 These statistics contribute to construct knowledge about the network
 conditions and influence the generation of tactics.
 
-## dnsPolicy
+## Dialing Policies
+
+### dnsPolicy
 
 The `dnsPolicy` is implemented by [dnspolicy.go](dnspolicy.go).
 
@@ -327,7 +349,7 @@ what `getaddrinfo` would do when asked to "resolve" an IP address);
 If `httpsDialer` uses this policy as its only policy, the operation it
 performs are morally equivalent to normally dialing for TLS.
 
-## userPolicy
+### userPolicy
 
 The `userPolicy` is implemented by [userpolicy.go](userpolicy.go).
 
@@ -374,7 +396,7 @@ inside the `DomainEndpoints` map;
 Because `userPolicy` is user-configured, we _entirely bypass_ the
 fallback policy when there's an user-configured entry.
 
-## statsPolicy
+### statsPolicy
 
 The `statsPolicy` is implemented by [statspolicy.go](statspolicy.go).
 
@@ -412,7 +434,7 @@ tactics from the fallback because that allows us to include two bridge tactics
 and two DNS tactics, as explained below when we discuss the
 `bridgePolicy` policy.)
 
-## bridgePolicy
+### bridgePolicy
 
 The `bridgePolicy` is implemented by [bridgespolicy.go](bridgespolicy.go) and
 rests on the assumptions made explicit above. That is:

internal/enginenetx/bridgespolicy_test.go

@@ -147,7 +147,7 @@ func TestBridgesPolicy(t *testing.T) {
 			dnsCount     int
 			overallCount int
 		)
-		const expectedDNSEntryCount = 153 // yikes!
+		const expectedDNSEntryCount = 3
 		for tactic := range tactics {
 			overallCount++