feat(client,cmd,mobile): connect securely via client.Connect(caPath)

client.Connect is the single migration seam: a non-empty caPath connects with
TLS pinned to the bus CA plus nkey auth (matching enforce + bus-tls), an empty
caPath keeps the legacy plaintext dev connection; control-plane requests are
signed either way. worker and chat gain a --ca flag; the gomobile NewSession
gains a caPath parameter so the Android app bundles ca.crt and connects
securely. Every peer now flows through one code path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mobile/unibus.go

@@ -44,14 +44,18 @@ func GenerateIdentity(path string) error {
 }
 
 // NewSession loads the identity at idPath and connects to the bus. natsURL is
-// the data plane (for example nats://host:4250) and ctrlURL is the control
-// plane HTTP endpoint (for example http://host:8470).
-func NewSession(idPath, natsURL, ctrlURL string) (*Session, error) {
+// the data plane (for example tls://host:4250) and ctrlURL is the control plane
+// HTTP endpoint (for example http://host:8470). caPath is the path to the bus
+// CA certificate (ca.crt) bundled with the app: when set, the session connects
+// securely (TLS pinned to that CA + nkey authentication on the data plane),
+// matching a bus running with auth + TLS. Pass an empty caPath to connect in
+// plaintext to an unsecured (dev) bus.
+func NewSession(idPath, natsURL, ctrlURL, caPath string) (*Session, error) {
 	id, err := client.LoadOrCreateIdentity(idPath)
 	if err != nil {
 		return nil, err
 	}
-	c, err := client.New(natsURL, ctrlURL, id)
+	c, err := client.Connect(natsURL, ctrlURL, id, caPath)
 	if err != nil {
 		return nil, err
 	}