Use default Trust manager and fallback to user installed CA

[TimoPtr]

Summary

This PR is mostly the work of @bpacholek (thanks for the initial PR #7024), with the comments addressed.

It basically use the default TrustManager from Android instead of getting a snapshot of the AndroidCAStore that we started using in #6753. Using this snapshot caused users with cert containing only part of the chain a SSL handshake failed describe in #6810.

Fixes #6810
Re #5565 (I tested again the flow and custom CA are still working)

Checklist

• New or updated tests have been added to cover the changes following the testing guidelines.
• The code follows the project's code style and best_practices.
• The changes have been thoroughly tested, and edge cases have been considered.
• Changes are backward compatible whenever feasible. Any breaking changes are documented in the changelog for users and/or in the code for developers depending on the relevance.

Any other notes

To reproduce the issue fixed if you are using certbot with Let's encrypt you can simply swap the fullchain.pem with the cert.pem.

[Copilot]

Pull request overview

This PR updates the app’s TLS configuration to use Android’s default trust manager (restoring proper chain building and network_security_config behavior) while adding a targeted fallback that trusts only user-installed CAs on ROMs where the default path does not honor them.

Changes:

• Switch OkHttp TLS setup back to the platform default trust manager and add a user-installed-CA-only fallback trust manager.
• Introduce CompositeX509ExtendedTrustManager to consult a fallback trust manager only when the primary rejects with CertificateException.
• Add unit tests for the composite trust manager and for filtering AndroidCAStore entries to user-installed CAs; add a StrictMode ignore rule for the keystore disk read during OkHttp configuration.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
common/src/main/kotlin/io/homeassistant/companion/android/common/data/TLSHelper.kt	Reworks OkHttp TLS setup to use the default trust manager and optionally wrap it with a user-CA-only fallback; adds helpers for keystore loading/filtering.
common/src/main/kotlin/io/homeassistant/companion/android/common/data/CompositeX509ExtendedTrustManager.kt	Adds a composite trust manager that retries server validation against a fallback only after primary CertificateException.
common/src/test/kotlin/io/homeassistant/companion/android/common/data/CompositeX509ExtendedTrustManagerTest.kt	Adds unit tests covering fallback decision logic and error propagation/suppression behavior.
common/src/test/kotlin/io/homeassistant/companion/android/common/data/TLSHelperTest.kt	Adds unit tests for filtering user-installed CA entries from a keystore.
app/src/main/kotlin/io/homeassistant/companion/android/util/IgnoreViolationRules.kt	Ignores a StrictMode disk-read violation triggered during OkHttp client configuration (keystore access).

[jpelgrom]

Reviewed in #7038