#21102: Android/Security: require TLS for non-loopback gateway sessions

This PR reopens the Android transport hardening from the previously closed PR after branch-name cleanup. Summary: - Require TLS for non-loopback Android gateway sessions. - Keep plaintext WS limited to loopback development flows. - Add/retain unit tests for transport-policy behavior. Replaces: #21069 <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR enforces TLS for non-loopback Android gateway connections by blocking plaintext WebSocket connections to remote hosts while preserving plaintext for loopback development flows. **Key changes:** - Added `isLoopbackHost` helper to detect localhost/127.x.x.x/::1/0.0.0.0/:: addresses - `GatewaySession.connect()` now throws `IllegalStateException` if attempting non-loopback plaintext connection - `ConnectionManager.resolveTlsParamsForEndpoint` enforces TLS requirements for manual and discovered non-loopback endpoints - `NodeRuntime.connectManual()` validates TLS requirement before attempting connection - Added comprehensive test coverage for loopback vs non-loopback TLS enforcement scenarios **Minor issue:** - The `isLoopbackHost` function is duplicated in both `GatewaySession.kt` and `ConnectionManager.kt` with identical implementations <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The security hardening logic is straightforward and well-tested. The PR includes comprehensive unit tests covering all critical scenarios (loopback vs non-loopback, manual vs discovered endpoints). The only issue is a minor code duplication that doesn't affect functionality or security. - No files require special attention _{Last reviewed commit: 920af39} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->