feat(gateway): connect to relay control plane

The gateway binary now has a real relay-facing configuration and QUIC control
handshake. It accepts a relay socket address, expected TLS server name, pinned
DER relay certificate, room code, LAN interface name, and advertised datagram
budget, then connects as role = gateway and waits for a welcome response.

The ALPN token moved into lanparty-ctrl so relay and gateway share the same
protocol identifier instead of carrying duplicate private constants. The gateway
still stops after the control-plane connection; AF_PACKET capture and injection
remain a later slice.

The connector test spins up a local Quinn server with a self-signed certificate,
trusts that certificate explicitly, verifies the outgoing gateway hello, and
checks the received welcome metadata.

Test Plan:
- cargo fmt --check
- cargo test --workspace
- cargo clippy --workspace --all-targets -- -D warnings

Refs: PLAN.md Linux gateway outbound relay connection

README.md

@@ -68,3 +68,18 @@ replies with `welcome` or `reject`, and forwards live Ethernet QUIC datagrams
 between accepted peers in the same room. It currently uses a generated
 self-signed development certificate; production certificate and client trust
 handling remain future work.
+
+## Gateway
+
+```bash
+cargo run -p lanparty-gateway -- \
+  --relay 203.0.113.10:443 \
+  --server-name lanparty-relay.local \
+  --relay-ca-cert relay-cert.der \
+  --room ROOM1 \
+  --interface eth0
+```
+
+The gateway currently connects to the relay as `role = gateway`, completes the
+control-stream hello/welcome handshake, and then waits for shutdown. AF_PACKET
+capture and injection are not wired yet.