Client: add system CA verification mode (non-pinning)

[Mygod]

Today the client only supports leaf pinning via --cert or no verification at all. Docs explicitly state CA bundles are not supported and omitting --cert disables verification (docs/config.md, docs/usage.md). Add a second verification mode that validates the server certificate chain against the system trust store.

Motivation

• Pinning is more secure but operationally heavy (certificate rotation) and not aligned with standard TLS UX. (Add cert-sha256 pinning and ss:// helper #49)
• No-verification is risky and currently the default if --cert is omitted.
• A system-CA mode enables safer defaults when running against public or enterprise-issued certs.

Proposed behavior

• Add a verification mode selection for the client: --cert-domain <server name>.
• Default behavior remains backward compatible (no verification unless opted in), or consider system when a hostname is provided (see open questions).
• In system mode, the TLS stack should validate the chain and hostname/SNI.

Acceptance criteria

• Client supports system verification mode, using OS trust store and hostname/SNI checks.
• Clear CLI/SIP003 configuration for the mode.
• Docs updated to reflect the new mode (remove "CA bundles are not supported" where applicable).
• Existing pinning and no-verify behavior preserved.