#21103: Android/Security: exclude device identity from backups

This PR reopens the Android backup identity exclusion work from the previously closed PR after branch-name cleanup. Summary: - Exclude `openclaw/identity` from Android backup/data-transfer rules. - Add regression coverage for backup/data extraction XML rules. Note: - This branch currently includes the secure transport commit lineage as prepared previously. Replaces: #21070 <!-- greptile_comment --> <h3>Greptile Summary</h3> Excludes `openclaw/identity` from Android cloud backup and device-transfer rules, and enforces TLS for all non-loopback gateway connections. - Added exclusion rules to `backup_rules.xml` and `data_extraction_rules.xml` to prevent device identity material from being backed up - Added `BackupRulesTest.kt` with regression coverage for backup exclusions - Implemented TLS enforcement in `ConnectionManager`, `GatewaySession`, and `NodeRuntime` - non-loopback connections now require TLS - Added `isLoopbackHost()` helper to detect localhost/127.x/::1 addresses - Updated `ConnectionManagerTest.kt` with comprehensive test coverage for TLS enforcement logic <h3>Confidence Score: 5/5</h3> - Safe to merge with minimal risk - Security-focused PR with proper backup exclusions and TLS enforcement. Well-tested with comprehensive unit tests covering both backup rules and TLS enforcement logic. Changes are defensive, preventing plaintext connections to non-loopback hosts and excluding sensitive identity data from backups. Only minor code duplication noted. - No files require special attention _{Last reviewed commit: b45edc4} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->