Mob.Certs + jniLibs-via-mob_beam for runtime escript/rebar3 on Android

[GenericJam]

Two related changes to unblock real Elixir HTTP libraries on physical
Android. Same shape as #36 (Mob.DNS): the OS exposes something Erlang
can't reach, and the workaround is to point Erlang at an app-provided
alternative.

Commits

1. Mob.Certs — load CA certificates on Android

:public_key.cacerts_load/0 probes a handful of distro paths for a
system CA bundle. None exist on Android — the system trust store lives
behind a Java API that BEAM's :public_key doesn't reach. The next
:public_key.cacerts_get/0 then raises no_cacerts_found; in some OTP
versions pubkey_os_cacerts.conv_error_reason/1 has no clause for that
and the surface error is a FunctionClauseError instead.

Hex itself bakes its own DER bundle, so mix install may succeed where
the first HTTP call from a user dep fails — Req → Mint → :ssl is
the typical place it shows up. iOS and the Android emulator don't hit
this (their :ssl defaults find the OS trust store fine), which is
why it wasn't caught earlier.

Adds Mob.Certs.load_cacerts/1 + load_cacerts!/1 + loaded?/0 —
thin, predictable wrappers around :public_key.cacerts_load/1. App
brings its own PEM (conventional source: castore's cacerts.pem
copied into priv at build time) and loads it once at startup:

```elixir
def on_start do
Mob.Certs.load_cacerts!(Application.app_dir(:my_app, "priv/cacerts.pem"))

...rest of startup...

end
```

`extra_applications: [:logger, :public_key]` so Elixir 1.19+'s
unused-app culling doesn't strip :public_key.beam from the code path.
Moduledoc covers the rationale + cross-platform notes (calling
unconditionally is harmless on iOS / emulator). Tests: 7 new, all
passing; a small ISRG Root X1 PEM is embedded in the test module so
the suite needs no fixture file or network fetch.

2. mob_beam.zig: optional escript/erl/erlexec/beam.smp symlinks for runtime rebar3

Opens the door for apps that need runtime Mix.install of rebar3-built
deps (telemetry, jose, jiffy, brod, …) on Android. Three walls:

1. rebar3 itself is an escript. escript is in ERTS but lives at
   app_data_file context — execve is blocked from the app uid.
2. escript spawns a fresh BEAM via erl/erlexec. Same execve wall.
3. erlexec exec's beam.smp. Same execve wall.

Same fix shape as the existing solution for inet_gethost/epmd/
erl_child_setup: ship the binary as a lib<name>.so in
jniLibs/<abi>/. Android extracts it under apk_data_file context
where execve is allowed.

Differences from the existing required list:

• These extras aren't on the BEAM-boot critical path. Apps that
  don't use them shouldn't see scary error logs at startup. Hence an
  optional list with silent-skip when the lib isn't in nativeLibDir.
• erl and erlexec map to the same library — erlexec doesn't switch
  on argv[0].

Additionally exposes MOB_NATIVE_LIB_DIR as an env var. Apps that
bundle the extra binaries need its path at runtime to set MIX_REBAR3
and locate the rebar3 escript — the path includes the APK install hash
and isn't predictable at compile time.

The mob side of this commit is intentionally minimal — apps decide
whether to opt in, and ship the binaries. `common_fixes.md` documents
the full pattern (wrapper-script trick, rebar3-symlink-for-module-
name-derivation, \$ROOTDIR/bin/*.boot materialization).

Verified end-to-end

Moto G Power 5G 2024 (Android 14), via mob.connect RPC into the
livebook_mob app on master with both changes pinned in via path dep:

```elixir
Mob.Certs.load_cacerts!(".../priv/cacerts.pem") #=> :ok
Mob.Certs.loaded?() #=> true
length(:public_key.cacerts_get()) #=> 121

Mix.install([{:req, "~> 0.5"}])

→ resolves Req's full tree

→ telemetry compiles via on-device rebar3 (using bundled escript +

erlexec + beam.smp + the wrapper script)

→ finch + jason + mime + nimble_options + nimble_pool + hpax + req

all compile via Mix

#=> :ok

Req.get!("https://geocoding-api.open-meteo.com/v1/search?name=Vancouver&count=1\")
#=> %{status: 200,

body: %{"results" => [%{"name" => "Vancouver",

"admin1" => "British Columbia",

"country" => "Canada",

...}]}}

```

Real Req. Real HTTPS via cacerts. Real network. Real rebar3-compiled
telemetry. All on the physical phone.

Quality

• mix test: 811 + 27 doctests pass, 0 failures (was 804 before the
  cacerts tests).
• mix credo --strict: clean.
• mix format --check-formatted: clean.
• zig fmt --check on the touched zig file: clean.

Trade-off (rebar3 commit)

Apps that opt in pay ~33 MB APK size for the bundled beam.smp. Apps
that don't ship the extra lib*.so files in jniLibs see no change —
the optional symlink loop just lstats a missing path and skips it
silently. Pure-Mix-deps Mix.install works fine without bundling
anything (only Mob.Certs is needed for HTTPS).

🤖 Generated with Claude Code