feat(core): implement StaticConfig/DynamicConfig split with ArcSwap hot-reload

Split alknet-core configuration into StaticConfig (immutable after startup)
and DynamicConfig (hot-reloadable at runtime via ArcSwap).

- Add StaticConfig struct in config/static_config.rs with all fields per ADR-030
- Add DynamicConfig struct with AuthPolicy, ForwardingPolicy, RateLimitConfig
- Add ForwardingPolicy with allow_all()/deny_all() defaults (ADR-031)
- Add ConfigReloadHandle with reload() method for runtime config updates
- Replace Arc<ServerAuthConfig> with Arc<ArcSwap<DynamicConfig>> in ServerHandler
- Add config_reload_handle() to Server for obtaining reload handles
- Add AuthPolicy with authenticate_publickey/authenticate_certificate methods
- All existing tests pass with the new config structure
- Default DynamicConfig produces identical behavior to current code

crates/alknet-core/src/lib.rs

@@ -50,18 +50,23 @@
 //! }
 //! ```
 
-pub mod transport;
-pub mod client;
-pub mod server;
 pub mod auth;
-pub mod socks5;
+pub mod client;
+pub mod config;
 pub mod error;
+pub mod server;
+pub mod socks5;
+pub mod transport;
 
 #[cfg(feature = "testutil")]
 pub mod testutil;
 
-pub use error::{AuthError, ChannelError, ConfigError, ForwardError, TransportError};
-pub use transport::{Transport, TransportAcceptor, TransportInfo, TransportKind};
 pub use client::channel_manager::{ChannelManager, ForwardRequest};
 pub use client::connect::{ClientSession, ConnectError, ConnectOptions, TransportMode};
-pub use server::serve::{Server, ServeError, ServeOptions, ServeTransportMode};
+pub use config::{
+    AuthPolicy, ConfigReloadHandle, DynamicConfig, ForwardingAction, ForwardingPolicy,
+    ForwardingRule, RateLimitConfig, StaticConfig,
+};
+pub use error::{AuthError, ChannelError, ConfigError, ForwardError, TransportError};
+pub use server::serve::{ServeError, ServeOptions, ServeTransportMode, Server};
+pub use transport::{Transport, TransportAcceptor, TransportInfo, TransportKind};