Add direct connect, auto-detect PKI, and rework demo flow

- connectDirect(policy, mode): connect without endpoint discovery,
  for servers with no unencrypted endpoint. Sets user identity token
  policy matching the auth mode.
- autoDetectPki(): scan own/certs/*.der and own/private/*.pem|crt,
  called automatically at startup.
- Demo: discovery auto-starts, PKI section hidden behind toggle with
  auto-detected cert summary, direct connect appears on connect failure.
  File/folder dialogs for manual PKI override.

1 files changed, 20 insertions, 0 deletions

diff --git a/src/BobinkClient.h b/src/BobinkClient.h
index f95ab02..43eda65 100644
--- a/src/BobinkClient.h
+++ b/src/BobinkClient.h
@@ -88,8 +88,26 @@ public:
   QString keyFile () const;
   void setKeyFile (const QString &path);
 
+  enum SecurityMode
+  {
+    SignAndEncrypt = 3,
+    Sign = 2,
+    None = 1,
+  };
+  Q_ENUM (SecurityMode)
+
+  enum SecurityPolicy
+  {
+    Basic256Sha256,
+    Aes128_Sha256_RsaOaep,
+    Aes256_Sha256_RsaPss,
+  };
+  Q_ENUM (SecurityPolicy)
+
   /** @brief Discover endpoints, pick the most secure, connect. */
   Q_INVOKABLE void connectToServer ();
+  /** @brief Connect directly without endpoint discovery. */
+  Q_INVOKABLE void connectDirect (SecurityPolicy policy, SecurityMode mode);
   Q_INVOKABLE void disconnectFromServer ();
 
   /** @brief Accept the pending server certificate. */
@@ -100,6 +118,8 @@ public:
   Q_INVOKABLE void startDiscovery ();
   Q_INVOKABLE void stopDiscovery ();
 
+  /** @brief Auto-detect cert/key from the PKI directory and apply. */
+  Q_INVOKABLE void autoDetectPki ();
   /** @brief Apply PKI dirs and cert/key. Call before connecting. */
   Q_INVOKABLE void applyPki ();