fix(ios): force tls for non-loopback manual gateway hosts

[mbelinky]

Summary\n- force TLS for manual gateway hosts that are not true loopback\n- keep .ts.net default-port behavior unchanged\n- harden loopback detection to avoid prefix-bypass hosts like 127.attacker.example\n- add gateway security tests for manual TLS behavior and default port behavior\n\n## Why\nThis supersedes the iOS part of #21441 with a tighter loopback matcher and focused scope.

Greptile Summary

This PR hardens iOS manual gateway connections by forcing TLS for all non-loopback hosts. It introduces a robust isLoopbackHost check using inet_pton (preventing hostname prefix-bypass attacks like 127.attacker.example), adds resolveManualUseTLS to centralize the TLS decision, and consistently applies it across all three manual-connection code paths (connectManual, maybeAutoConnect manual branch, and maybeAutoConnect last-known branch). The existing .ts.net default-port logic (shouldForceTLS) is preserved unchanged for port resolution only.

• All three manual gateway connection paths now force TLS for non-loopback hosts
• Loopback detection covers IPv4 (127.0.0.0/8), IPv6 (::1), IPv4-mapped IPv6 (::ffff:127.x.x.x), localhost, 0.0.0.0, ::, bracket-wrapped addresses, and zone IDs
• New tests verify both the TLS enforcement and default-port behavior invariants
• shouldForceTLS (.ts.net detection) is retained solely for the resolveManualPort default-port logic

Confidence Score: 5/5

• This PR is a well-scoped security hardening change that is safe to merge.
• The changes are focused on a clear security improvement (forcing TLS for non-loopback manual gateway hosts). The loopback detection is implemented correctly using inet_pton for robust IP parsing, preventing hostname prefix-bypass attacks. All three manual-connection code paths are consistently updated. The existing .ts.net default-port behavior is preserved. New tests cover the key security invariants including edge cases. No logic errors or regressions detected.
• No files require special attention.

_{Last reviewed commit: 7a8ccbe}

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Import ordering nit
Darwin and the surrounding imports are not in alphabetical order — Darwin should come before EventKit/Foundation, and Network should come before OpenClawKit. The list was already slightly out of order before this PR, but adding Darwin between Foundation and OpenClawKit extends the inconsistency.

Suggested change

	import Foundation
	import Darwin
	import OpenClawKit
	import Network
	import Foundation
	import Darwin
	import Network
	import OpenClawKit

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/ios/Sources/Gateway/GatewayConnectionController.swift
Line: 7-10

Comment:
**Import ordering nit**
`Darwin` and the surrounding imports are not in alphabetical order — `Darwin` should come before `EventKit`/`Foundation`, and `Network` should come before `OpenClawKit`. The list was already slightly out of order before this PR, but adding `Darwin` between `Foundation` and `OpenClawKit` extends the inconsistency.

```suggestion
import Foundation
import Darwin
import Network
import OpenClawKit
```

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

How can I resolve this? If you propose a fix, please make it concise.

[bmendonca3]

Thanks for keeping scope tight and adding the regression tests

[mbelinky]

Merged via squash.

• Prepared head SHA: 9fb39f5
• Merge commit: 8fa46d7

Thanks @mbelinky!