docs: staged TLS+pinning rollout for registry transport (H1)

[TeoSlayer]

Summary

Design proposal (docs only, no default change) for closing audit finding H1: the node_id → public_key mapping that all peer-handshake authentication — and badge/recovery trust — rests on is fetched over plaintext TCP by default. TLS+pinning exists but is gated behind -registry-tls -registry-trust=pinned -registry-fingerprint=….

Adds docs/PROPOSAL-h1-tls-pinning-rollout.md.

Why this matters (verified in code + against prod)

• lookupPeerPubKey → regConn.Lookup(nodeID) → resp["public_key"] (pkg/daemon/daemon.go:5674) is the sole source of peer-key truth in keyexchange/handle.go.
• The lookup response is not application-signed (common/registry/wire/wire.go:183) — integrity rests entirely on transport.
• Default daemon dial is registry.DialPool = plaintext (pkg/daemon/daemon.go:911); -registry-tls defaults false.
• pilotctl (incl. recovery/verify) has no TLS option at all — registry.Dial plaintext (cmd/pilotctl/verify.go:301).
• Prod-confirmed: 34.71.57.205:9000 serves plaintext; registry.pilotprotocol.network:443 already serves a valid Let's Encrypt cert.

What the proposal contains

• Current-state map, target state (pinned TLS default + optional app-layer signed lookups).
• A 5-stage migration that never breaks a live node (server-offers-before-client-requires; prefer-TLS-with-warned-fallback; telemetry-gated default flip; plaintext retired last).
• Pin-distribution solution (bake SPKI pin into the auto-updater-shipped binary → no TOFU window), compatibility analysis against the 222K opt-in-auto-update fleet, concrete file/function touch-points, and 7 maintainer decisions required before any flip.

Do not merge — this is for review/decision. No behaviour changes.