Feature/ssh tunnel gateway

[sytone]

Summary

This PR delivers two primary outcomes:

1. SSH tunnel support in the tray app so gateway traffic can run through a local loopback endpoint while forwarding to a remote host.
2. Reliable Quick Chat (Quick Send) by treating the tray app as a paired device identity and aligning with gateway auth/approval behavior.

Key Additions

1) SSH Tunnel Feature

• Added persistent SSH tunnel settings (enable flag, SSH user/host, local/remote ports).
• Added effective gateway URL behavior so tunnel mode uses local loopback (ws://127.0.0.1:<localPort>) while preserving remote target configuration.
• Added tunnel lifecycle management in the tray app (start/stop, restart behavior, and shutdown cleanup).
• Added settings UI and validation/testing flow for tunnel configuration.

2) Quick Chat / Quick Send Working with Paired Tray Device

• Added operator device identity handshake payload (signed device info on connect).
• Added connect signature compatibility modes and fallback handling.
• Persisted/rehydrated device token from successful handshake for reconnect continuity.
• Added explicit pairing-required handling path (including reconnect suppression behavior where appropriate).
• Hardened chat.send flow with tracked request/response handling, session key usage, and idempotency key.
• Updated Quick Send error UX to provide targeted remediation for:
  • pairing required / not paired
  • missing operator scopes

Other Fixes and Updates (Complete Branch Coverage)

Connection and Reconnect Behavior

• Improved shared websocket reconnect behavior to avoid getting stuck after transient connect failures.
• Added reconnect-loop guarding and safer reconnect/dispose behavior in the websocket base client.
• Added ShouldAutoReconnect() control path for terminal/approval states.

UI / UX Improvements

• Improved Quick Send dialog behavior and focus handling.
• Added richer Quick Send error details/copy guidance behavior.
• Fixed canvas visibility by forcing canvas window to foreground on present.
• Added canvas bring-to-front helper behavior and integrated it into node canvas present flow.

Tray App Lifecycle / Settings

• Added persisted skipped-update tag behavior and startup prompt logic updates.
• Expanded settings model + manager round-trip support for new fields.
• Updated app startup/shutdown wiring to support new services and state transitions.

New Tooling

• Added OpenClaw.Cli project for gateway websocket validation and quick send probing from tray-compatible settings.
• Added solution/build integration for the CLI project.

Documentation and Repo Hygiene

• Updated README to document new capabilities and troubleshooting context.
• Added AGENTS.md validation expectations for build/test workflow.

Tests

• Updated/expanded shared tests for gateway/device identity and websocket behavior changes.
• Updated tray tests for settings round-trip coverage.

Code Audit Coverage

This PR description was verified against the full upstream/master..HEAD code diff (22 files, ~2043 insertions).

Additional notable changes that were not obvious from commit titles:

• Canvas visibility fix: canvas windows are now explicitly brought to foreground on present (CanvasWindow + NodeService).
• Reconnect resilience fix in shared websocket base to prevent getting stuck after transient connect failures.
• Update UX persistence: SkippedUpdateTag added to shared/tray settings and wired into update prompt flow.
• Settings UI expansion for SSH tunnel configuration and test-connection behavior.
• New SshTunnelService for tunnel process lifecycle management.
• Repo/build wiring for the new CLI validator (build.ps1, solution updates, README updates).
• Validation/process documentation added via AGENTS.md.