fix(tui): correctly handle plaintext and cloudflare_jwt gateway auth

[alexclewontin]

Summary

Fix TUI gateway switching for non-mTLS gateways. This PR makes the TUI honor explicit plaintext
gateway metadata and adds a dedicated cloudflare_jwt path so edge-authenticated gateways no
longer fall through to the mTLS flow.

This was identified in the review process of #1625 but since it pre-dates that PR and is not really directly related to it, I wanted to split it out.

Related Issue

N/A — split from review feedback on system-gateway-dir.

Changes

• honor auth_mode = "plaintext" when selecting the TUI transport instead of defaulting HTTPS
  endpoints to mTLS
• add an explicit GatewayChannelMode::Edge path for auth_mode = "cloudflare_jwt"
• load stored edge tokens and build the TUI client with EdgeAuthInterceptor for
  edge-authenticated gateways
• add crates/openshell-tui/src/edge_tunnel.rs to bridge local gRPC traffic over the gateway
  /_ws_tunnel WebSocket endpoint for HTTPS edge gateways
• add unit coverage for gateway mode selection across plaintext, edge, OIDC, and HTTP fallback
  cases
• add tokio-tungstenite and futures to support the edge tunnel client

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable) <- working on this, will take out of draft when it is done

Additional testing:

• cargo test -p openshell-tui --lib
• cargo clippy -p openshell-tui --all-targets -- -D warnings

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.