feat(apple/library): mTLS — authenticate by the paired identity, drop the token

Phase 3: the Apple library now talks to the host's HTTPS mgmt API (b4a85a8) over mTLS
using this client's persistent identity — the SAME cert the host paired over QUIC — so
there is NO manual token anymore.

- ClientTLS: builds a SecIdentity from the stored PEM (CryptoKit parses the rcgen P-256
  PKCS#8 key → x963 → SecKey; the cert PEM → SecCertificate; SecIdentityCreateWithCertificate
  pairs them via the Keychain). macOS-only for now (that API is unavailable on iOS — a
  PKCS#12 path would be needed there; the client is macOS-first).
- LibraryTLSDelegate: pins the host's self-signed cert by the fingerprint the client
  already trusts, and presents the identity for the client-cert challenge.
- LibraryClient.fetch now does GET https://…/library with the identity + host fingerprint;
  the whole connection form (port + token) and StoredHost.mgmtToken/setMgmt are gone — the
  library "just works" for a paired host. 401 → "pair with the host first".

Can't compile Swift on the Linux box; CI (apple.yml) compiles the macOS path incl. the
Security/CryptoKit code. Runtime (SecIdentity build + the mTLS handshake) needs Mac
validation. Pairs with the host mTLS already landed + live-tested.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

clients/apple/Sources/PunktfunkClient/HostStore.swift

@@ -21,14 +21,11 @@ struct StoredHost: Identifiable, Codable, Hashable {
     var pinnedSHA256: Data?
     /// Last time a streaming session actually started (nil until the first one).
     var lastConnected: Date?
-    /// Management-API port for the experimental library browser (distinct from the data-plane
-    /// `port`). Optional (NOT a defaulted non-optional) so older saved hosts — whose JSON lacks
-    /// this key — still decode: synthesized Decodable ignores property defaults but treats a
-    /// missing Optional as nil. Resolve via `effectiveMgmtPort`.
+    /// Management-API port for the library browser (distinct from the data-plane `port`). Optional
+    /// (NOT a defaulted non-optional) so older saved hosts — whose JSON lacks this key — still
+    /// decode: synthesized Decodable ignores property defaults but treats a missing Optional as
+    /// nil. Resolve via `effectiveMgmtPort`. (Auth is mTLS by the pinned identity — no token.)
     var mgmtPort: UInt16?
-    /// Bearer token for the management API (the host's `--mgmt-token`). Required for any
-    /// non-loopback mgmt bind; nil until the user enters it.
-    var mgmtToken: String?
 
     var displayName: String { name.isEmpty ? address : name }
     var effectiveMgmtPort: UInt16 { mgmtPort ?? punktfunkDefaultMgmtPort }
@@ -96,14 +93,6 @@ final class HostStore: ObservableObject {
         hosts[i].pinnedSHA256 = nil
     }
 
-    /// Persist the management-API endpoint for the (experimental) library browser. An empty
-    /// token is stored as nil (no credential).
-    func setMgmt(_ hostID: UUID, port: UInt16, token: String) {
-        guard let i = hosts.firstIndex(where: { $0.id == hostID }) else { return }
-        hosts[i].mgmtPort = port
-        let trimmed = token.trimmingCharacters(in: .whitespacesAndNewlines)
-        hosts[i].mgmtToken = trimmed.isEmpty ? nil : trimmed
-    }
 
     private func persist() {
         if let data = try? JSONEncoder().encode(hosts) {