feat(core): implement StaticConfig/DynamicConfig split with ArcSwap hot-reload

Split alknet-core configuration into StaticConfig (immutable after startup)
and DynamicConfig (hot-reloadable at runtime via ArcSwap).

- Add StaticConfig struct in config/static_config.rs with all fields per ADR-030
- Add DynamicConfig struct with AuthPolicy, ForwardingPolicy, RateLimitConfig
- Add ForwardingPolicy with allow_all()/deny_all() defaults (ADR-031)
- Add ConfigReloadHandle with reload() method for runtime config updates
- Replace Arc<ServerAuthConfig> with Arc<ArcSwap<DynamicConfig>> in ServerHandler
- Add config_reload_handle() to Server for obtaining reload handles
- Add AuthPolicy with authenticate_publickey/authenticate_certificate methods
- All existing tests pass with the new config structure
- Default DynamicConfig produces identical behavior to current code

crates/alknet/src/main.rs

@@ -10,8 +10,6 @@ use std::net::SocketAddr;
 use std::process;
 use std::sync::Arc;
 
-use anyhow::{anyhow, Result};
-use clap::{Parser, Subcommand, ValueEnum};
 use alknet_core::auth::keys::KeySource;
 use alknet_core::client::{ConnectOptions, TransportMode};
 use alknet_core::server::{ServeOptions, ServeTransportMode, Server};
@@ -21,6 +19,8 @@ use alknet_core::transport::TcpTransport;
 #[cfg(feature = "tls")]
 use alknet_core::transport::TlsTransport;
 use alknet_core::transport::Transport;
+use anyhow::{anyhow, Result};
+use clap::{Parser, Subcommand, ValueEnum};
 
 #[derive(Parser)]
 #[command(name = "alknet", version, about = "Alknet SSH tunnel tool")]
@@ -76,7 +76,7 @@ enum Commands {
         insecure: bool,
     },
 
-    #[command(    about = "Start the alknet server (accept SSH connections)")]
+    #[command(about = "Start the alknet server (accept SSH connections)")]
     Serve {
         #[arg(long, help = "SSH host key path (required)")]
         key: String,