feat(config): add system account, SIGHUP reload, and auth change propagation (E6+E7+E8)

E6: Add IsSystemAccount property to Account, mark $SYS account as system,
add IsSystemSubject/IsSubscriptionAllowed/GetSubListForSubject helpers to
route $SYS.> subjects to the system account's SubList and block non-system
accounts from subscribing.

E7: Add ConfigReloader.ReloadAsync and ApplyDiff for structured async reload,
add ConfigReloadResult/ConfigApplyResult types. SIGHUP handler already wired
via PosixSignalRegistration in HandleSignals.

E8: Add PropagateAuthChanges to re-evaluate connected clients after auth
config reload, disconnecting clients whose credentials no longer pass
authentication with -ERR 'Authorization Violation'.

src/NATS.Server/Configuration/LeafNodeOptions.cs

@@ -12,4 +12,20 @@ public sealed class LeafNodeOptions
     /// Go reference: leafnode.go — JsDomain in leafNodeCfg.
     /// </summary>
     public string? JetStreamDomain { get; set; }
+
+    /// <summary>
+    /// Subjects to deny exporting (hub→leaf direction). Messages matching any of
+    /// these patterns will not be forwarded from the hub to the leaf.
+    /// Supports wildcards (* and >).
+    /// Go reference: leafnode.go — DenyExports in RemoteLeafOpts (opts.go:231).
+    /// </summary>
+    public List<string> DenyExports { get; set; } = [];
+
+    /// <summary>
+    /// Subjects to deny importing (leaf→hub direction). Messages matching any of
+    /// these patterns will not be forwarded from the leaf to the hub.
+    /// Supports wildcards (* and >).
+    /// Go reference: leafnode.go — DenyImports in RemoteLeafOpts (opts.go:230).
+    /// </summary>
+    public List<string> DenyImports { get; set; } = [];
 }