feat(core): implement StaticConfig/DynamicConfig split with ArcSwap hot-reload

Split alknet-core configuration into StaticConfig (immutable after startup)
and DynamicConfig (hot-reloadable at runtime via ArcSwap).

- Add StaticConfig struct in config/static_config.rs with all fields per ADR-030
- Add DynamicConfig struct with AuthPolicy, ForwardingPolicy, RateLimitConfig
- Add ForwardingPolicy with allow_all()/deny_all() defaults (ADR-031)
- Add ConfigReloadHandle with reload() method for runtime config updates
- Replace Arc<ServerAuthConfig> with Arc<ArcSwap<DynamicConfig>> in ServerHandler
- Add config_reload_handle() to Server for obtaining reload handles
- Add AuthPolicy with authenticate_publickey/authenticate_certificate methods
- All existing tests pass with the new config structure
- Default DynamicConfig produces identical behavior to current code

crates/alknet-core/src/server/mod.rs

@@ -16,10 +16,12 @@ pub mod stealth;
 
 pub use channel_proxy::{connect_outbound, proxy_channel};
 pub use control_channel::{
-    ControlChannelHandler, ControlChannelRouter, DuplexStream, ALKNET_CONTROL_DESTINATION,
-    ALKNET_PREFIX, is_reserved_destination,
+    is_reserved_destination, ControlChannelHandler, ControlChannelRouter, DuplexStream,
+    ALKNET_CONTROL_DESTINATION, ALKNET_PREFIX,
 };
 pub use handler::{ProxyConfig, ProxyMode, ServerHandler, TransportKind};
 pub use rate_limit::{AuthAttemptLimiter, ConnectionRateLimiter};
-pub use serve::{Server, ServeError, ServeOptions, ServeTransportMode};
-pub use stealth::{ProtocolDetection, detect_protocol, send_fake_nginx_404, validate_stealth_config};
+pub use serve::{ServeError, ServeOptions, ServeTransportMode, Server};
+pub use stealth::{
+    detect_protocol, send_fake_nginx_404, validate_stealth_config, ProtocolDetection,
+};