feat(config): add system account, SIGHUP reload, and auth change propagation (E6+E7+E8)

E6: Add IsSystemAccount property to Account, mark $SYS account as system,
add IsSystemSubject/IsSubscriptionAllowed/GetSubListForSubject helpers to
route $SYS.> subjects to the system account's SubList and block non-system
accounts from subscribing.

E7: Add ConfigReloader.ReloadAsync and ApplyDiff for structured async reload,
add ConfigReloadResult/ConfigApplyResult types. SIGHUP handler already wired
via PosixSignalRegistration in HandleSignals.

E8: Add PropagateAuthChanges to re-evaluate connected clients after auth
config reload, disconnecting clients whose credentials no longer pass
authentication with -ERR 'Authorization Violation'.

src/NATS.Server/Auth/Account.cs

@@ -7,6 +7,7 @@ namespace NATS.Server.Auth;
 public sealed class Account : IDisposable
 {
     public const string GlobalAccountName = "$G";
+    public const string SystemAccountName = "$SYS";
 
     public string Name { get; }
     public SubList SubList { get; } = new();
@@ -18,6 +19,13 @@ public sealed class Account : IDisposable
     public int MaxJetStreamStreams { get; set; } // 0 = unlimited
     public string? JetStreamTier { get; set; }
 
+    /// <summary>
+    /// Indicates whether this account is the designated system account.
+    /// The system account owns $SYS.> subjects for internal server-to-server communication.
+    /// Reference: Go server/accounts.go — isSystemAccount().
+    /// </summary>
+    public bool IsSystemAccount { get; set; }
+
     /// <summary>Per-account JetStream resource limits (storage, consumers, ack pending).</summary>
     public AccountLimits JetStreamLimits { get; set; } = AccountLimits.Unlimited;