Add TLS between model-cli and the Model Runner API when using TCP

[ilopezluna]

When the Model Runner API is exposed over TCP (http://localhost:12434 by default), requests between model-cli and the API travel unencrypted.
Add first-class support for TLS so the CLI can connect securely over https://…, aligning with Docker Engine’s existing TLS ergonomics.
Today, Unix domain socket access exists (secure by OS permissions), but TCP is explicitly supported and documented for host access, which should be able to be secured as well.

[ericcurtin]

+1 to this.

We may also want to explore some encryption techniques that are low on configuration and "just work".

TLS is the standard and we should add, but requires manual effort, issuing certificates, or PSK, etc.

The solution to this might just be put something like NGINX in front of DMR daemon and use the cli --tls options.

[ericcurtin]

Maybe we just generate self-signed certs automatically and use TLS, it's better than plain-text HTTP