#13321: android/gateway: harden manual connect identity and A2UI UX

## Summary - Harden Android gateway `connect` device identity generation/signing across provider variants. - Retry `connect` once with regenerated identity when device auth fields cannot be produced. - Keep manual gateway defaults aligned with Tailscale Serve (`443` + TLS enabled by default). - Improve canvas host normalization for manual/TLS endpoints so Android uses the expected HTTPS origin. - Keep A2UI navigation stable on reconnect paths (avoid dropping to local scaffold while operator is still connected). - Add clearer connected-idle canvas UI (`Ready!` / `Chat or speak.`) and warning-only banners for background/node-offline states. - Fix gateway A2UI asset resolution for bundled/npm dist runtime layouts. - Update Android runbook docs with correct WS pairing commands (`openclaw devices ...`), manual gateway guidance, and troubleshooting. ## Testing - `cd apps/android && ./gradlew -Pandroid.aapt2FromMavenOverride=/home/dragon/.openclaw/tools/aapt2 :app:assembleDebug :app:testDebugUnitTest` ✅ - `cd /clawdbot/openclaw && pnpm test src/canvas-host/server.test.ts` ✅ <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> Changes focus on Android gateway connectivity and A2UI UX, plus making the canvas-host A2UI asset lookup work across more runtime layouts. On Android, manual gateway defaults are moved to port 443 with TLS support, connect identity signing is made more robust with multiple crypto-provider fallbacks and a one-time regeneration retry, and the UI avoids dropping to the local scaffold during reconnect while adding “Ready!/Chat or speak.” and warning-only banners. On the server side, A2UI root discovery now considers `OPENCLAW_A2UI_ROOT` and bundled/npm dist layouts via `argv[1]`, and tests were updated to cover retrying asset lookup after an initial miss. <h3>Confidence Score: 3/5</h3> - This PR is close to mergeable but has at least one correctness/performance issue in A2UI root caching that should be addressed. - Most changes are additive and covered by tests, but the updated A2UI root cache no longer caches misses, which can cause repeated filesystem scans and unstable 503/200 behavior depending on when assets appear. Fixing the miss-caching logic (or adding a TTL) would make the new lookup behavior reliable. - src/canvas-host/a2ui.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->