Milestone 2.1: Engine hardening + protocol emulators

[vxfemboy]

Milestone 2.1 — Engine Hardening + Protocol Emulators

Hardens the deception engine for production and makes it far more convincing by adding five protocol emulators. All within blackwall-deception + the blackwalld run wiring.

Hardening

• Connection cap + session timeout (EngineLimits) — a shared semaphore bounds concurrent deception sessions (at-cap connections are dropped, never queued, so a flood can't exhaust tasks/FDs), and each session is wrapped in a tokio::time::timeout to kill slow-loris clients. Closes [A·M2 follow-up] Idle timeout + connection cap on emulators #21.
• Supervised transports — blackwalld run collects the v4/v6 TPROXY serve tasks and the NFQUEUE loop into a JoinSet raced against the session-drain loop; a transport death now logs and yields a non-zero exit instead of silently running degraded. Closes [A·M2 follow-up] Supervise engine transport tasks #19.
• Live banner hot-reload — emulators read banners through a BannerSource::{Fixed,Live} (calling current() per connection), and a notify file-watcher in run drives SharedBanners::reload so banner edits take effect without a restart. Closes [A·M2 follow-up] Wire runtime banner hot-reload into run #20.

Emulators (interactive ServiceEmulators)

• SSH — version banner + a valid binary KEXINIT, captures the client's version banner. No real crypto (deception scope).
• SMTP — 220 greeting then correct 250/354/221/502 reply codes through a basic envelope, with byte/command caps.
• Redis — RESP PING→+PONG, INFO with redis_version, +OK/-ERR, parses both array and inline commands.
• MySQL — protocol-10 handshake (3-byte LE framing) then an auth-failure ERR packet.
• PostgreSQL — reads the client StartupMessage, replies with a framed ErrorResponse.

All registered in default_registry on standard ports (22, 25/587, 80/8080, 3306, 5432, 6379) with the generic banner/tarpit fallback. Closes #13, closes #14.

Quality

• 90 tests; coverage 97.30% (kernel/root-bound files excluded via the documented gate filter); --deny warnings clippy + rustfmt clean.
• Per-task spec+quality reviews and a whole-branch review (verdict: ready to merge, no Critical/Important). The two believability refinements it suggested are tracked as [A·M2.1 follow-up] Buffer-accumulating parse for Redis/SMTP emulators #23 and [A·M2.1 follow-up] Assert SSH KEXINIT on the wire in e2e test #24.

Deferred (tracked)

• Follow-ups [A·M2.1 follow-up] Buffer-accumulating parse for Redis/SMTP emulators #23 (buffer-accumulating parse for Redis/SMTP) and [A·M2.1 follow-up] Assert SSH KEXINIT on the wire in e2e test #24 (assert SSH KEXINIT on the wire in the e2e test).