refactor!: rebrand wraith to alknet

Rename all crates, CLI commands, constants, type names, doc comments,
and documentation from wraith to alknet. Includes wire-protocol changes:
ALPN wraith-ssh -> alknet-ssh, reserved destination prefix wraith- ->
alknet-, SSH auth username wraith -> alknet.

docs/architecture/decisions/002-tun-separate-process.md

@@ -4,18 +4,18 @@
 Superseded by ADR-014
 
 ## Context
-TUN interface creation requires root privileges or `CAP_NET_ADMIN` on Linux, Administrator on Windows, or platform-specific VPN APIs on macOS/iOS/Android. If the core wraith binary required these privileges, the attack surface of root-required code would include the entire SSH implementation, key handling, and transport negotiation.
+TUN interface creation requires root privileges or `CAP_NET_ADMIN` on Linux, Administrator on Windows, or platform-specific VPN APIs on macOS/iOS/Android. If the core alknet binary required these privileges, the attack surface of root-required code would include the entire SSH implementation, key handling, and transport negotiation.
 
 The primary use cases (SOCKS5 proxy, port forwarding) need no privileges at all. Only the "route all traffic through TUN" use case needs root.
 
 ## Decision
-The TUN functionality is a separate `wraith-tun` binary that:
+The TUN functionality is a separate `alknet-tun` binary that:
 1. Creates a TUN device (requires root / CAP_NET_ADMIN)
 2. Reads IP packets from it
-3. Forwards each connection to the core wraith's SOCKS5 port (127.0.0.1:1080)
+3. Forwards each connection to the core alknet's SOCKS5 port (127.0.0.1:1080)
 4. Proxies bytes between TUN packets and SOCKS5 connections
 
-The core `wraith connect` binary never needs root. The `wraith-tun` binary is ~200-500 lines and does nothing except TUN ↔ SOCKS5 forwarding.
+The core `alknet connect` binary never needs root. The `alknet-tun` binary is ~200-500 lines and does nothing except TUN ↔ SOCKS5 forwarding.
 
 ## Consequences
 - **Positive**: Root-required code surface is tiny and auditable.