feat(networking): add leaf subject filtering and port networking Go tests (D6+D7)

D6: Add ExportSubjects/ImportSubjects allow-lists to LeafHubSpokeMapper alongside
existing DenyExports/DenyImports deny-lists. When an allow-list is non-empty, subjects
must match at least one allow pattern; deny always takes precedence. Updated
LeafNodeOptions, LeafHubSpokeMapper (5-arg constructor), and LeafNodeManager to wire
through the new allow-lists. Added 13 new unit + integration tests covering allow-list
semantics, deny precedence, bidirectional filtering, and wire-level propagation.

D7: Existing NetworkingGoParityTests.cs (50 tests) covers gateway interest mode,
route pool accounting, and leaf node connections. Parity DB already up to date.

src/NATS.Server/Configuration/LeafNodeOptions.cs

@@ -28,4 +28,22 @@ public sealed class LeafNodeOptions
     /// Go reference: leafnode.go — DenyImports in RemoteLeafOpts (opts.go:230).
     /// </summary>
     public List<string> DenyImports { get; set; } = [];
+
+    /// <summary>
+    /// Explicit allow-list for exported subjects (hub→leaf direction). When non-empty,
+    /// only messages matching at least one of these patterns will be forwarded from
+    /// the hub to the leaf. Deny patterns (<see cref="DenyExports"/>) take precedence.
+    /// Supports wildcards (* and >).
+    /// Go reference: auth.go — SubjectPermission.Allow (Publish allow list).
+    /// </summary>
+    public List<string> ExportSubjects { get; set; } = [];
+
+    /// <summary>
+    /// Explicit allow-list for imported subjects (leaf→hub direction). When non-empty,
+    /// only messages matching at least one of these patterns will be forwarded from
+    /// the leaf to the hub. Deny patterns (<see cref="DenyImports"/>) take precedence.
+    /// Supports wildcards (* and >).
+    /// Go reference: auth.go — SubjectPermission.Allow (Subscribe allow list).
+    /// </summary>
+    public List<string> ImportSubjects { get; set; } = [];
 }