fix(desktop): canonicalize mesh connect-request #p target before signing

[tlongwell-block]

What

Canonicalize the mesh connect-request (kind:24621) #p target at the single signing boundary, and stop the e2e mock relay from masking a missing-#p regression.

Why

Starting a mesh-powered agent can fail with the relay error:

Mesh client failed to start: invalid: mesh connect request missing #p target

Today publishMeshConnectRequest signs ["p", input.targetPubkey] verbatim from discovery. A non-canonical value (uppercase, surrounding whitespace, or an npub1…) would be signed as-is and then mishandled downstream. We harden the boundary so the desktop always emits a canonical ["p", <64-hex>] tag — or fails locally with a clear invalid pubkey error — instead of producing an event the relay rejects opaquely.

Changes

• pubkey.ts — new canonicalPubkeyOrThrow(value): accepts hex (any case, padded) or npub1…, returns canonical 64-char lowercase hex, throws a clear error otherwise. Reuses the already-present nostr-tools/nip19 decoder.
• relayMeshSignaling.ts — publishMeshConnectRequest runs the target through canonicalPubkeyOrThrow before signing.
• e2eBridge.ts — the mock relay now rejects a 24621 with no #p tag (mirroring the real relay) instead of blindly ACKing it, so the missing-#p shape is actually exercised.
• pubkey.test.mjs — 9 cases: hex passthrough, uppercase, whitespace, npub→hex, and the throw paths (empty / short / garbage / malformed npub).

Verification

• pnpm test (full desktop suite): 479/479 pass
• tsc --noEmit: clean
• biome check: clean
• All pre-commit hooks (rust-fmt, desktop/web/mobile) green

Scope / honesty

This is defense-in-depth + test-harness hardening, not a confirmed fix for a specific reported "missing #p" error. That exact error requires a genuinely tagless 24621, which no current source emits — investigation (Eva + Max) points to a stale desktop build as the likely cause of the live report, pending build-SHA confirmation. This PR makes the class of failure impossible-by-construction and adds the missing regression coverage regardless of that root cause.

[tlongwell-block]

Closing in favor of #834 (Max's) — we both built this in parallel (my fault for not locking the lane). His is the better diff: a real e2e Playwright test that captures the signed 24621 and asserts the #p tag end-to-end, vs my unit tests on an extracted helper. His normalizePubkey (trim+lowercase+64-hex) is also correctly scoped — the reporterPubkey from discovery is always hex, so my npub-decoding path was speculative dead code. #834 it is.