* feat(android): support per-gateway custom headers for proxied gateway connections
Per-gateway custom request headers (Cloudflare Access-style service tokens)
for gateways behind authenticating reverse proxies. Headers are credentials:
EncryptedSharedPreferences-stored per endpoint stableId, masked in the manual
connection UI, injected on the OkHttp WebSocket upgrade at connect time via a
provider so edits apply on the next reconnect without re-pairing. Reserved
handshake headers and non-printable-ASCII are sanitized out (OkHttp throws on
them). TLS fingerprint pinning and pairing flows unchanged. Cross-gateway
isolation proven by MockWebServer upgrade-capture test.
Related: #100698
* chore(android): sync native i18n for custom header strings
* fix(android): harden gateway custom headers
* chore(android): resync native i18n inventory
* docs(changelog): defer Android release note
* fix(android): validate custom header names
* chore(android): refresh native i18n inventory