[codex] implement remote connection mode end-to-end

[aronprins]

Summary

This PR implements the remote connection mode feature end-to-end while preserving the existing embedded local mode.

Local vs remote mode support

• adds a launcher/chooser flow for local_embedded vs remote_existing
• keeps the embedded local server boot path, progress states, and updater integration for local mode
• adds remote connection profiles with persistence, CRUD, recent connections, and menu-based quick connect
• supports remembered startup preference and auto-attempting the last profile when configured

Preflight and security model

• requires mandatory remote preflight before loading any remote origin
• validates and normalizes remote URLs and rejects embedded username/password credentials
• verifies /api/health and /api/auth/get-session
• allows only authenticated upstream Paperclip remotes with authReady=true
• blocks non-Paperclip endpoints, TLS failures, and unsupported local_trusted remotes
• uses exact-origin navigation policy per mode and opens all other http(s) links externally
• uses no privileged preload surface in remote mode
• keeps remote browsing state isolated via remote session partitions without storing raw credentials or copied auth tokens

UI implementation from the mockup

• replaces the old splash-only startup with a launcher window that implements the chooser, remote connect form, verification states, connecting state, error state, saved connections CRUD, and local boot progress states in the mockup’s visual language
• adds app-menu connection actions for launcher access, local connect, saved/recent remotes, and chooser behavior

Validation

• pnpm test:connections
• inline launcher script parse smoke check via new Function(...) against the generated launcher HTML

Notes

• when a user asks Desktop to remember an otherwise-unsaved remote choice, the app persists that verified remote as a saved profile so the next-launch reconnect target is stable without storing credentials