feat(web): protect launcher dashboard with token and SPA login (#1953)

Add token-based authentication for the Launcher's embedded Web Dashboard.

- Ephemeral token generated in-memory each run (or via PICOCLAW_LAUNCHER_TOKEN env var)
- HMAC-SHA256 session cookie (HttpOnly, SameSite=Lax, Secure when HTTPS)
- Bearer token support for API/script access
- Rate limiting on login (10 attempts/IP/min)
- Referrer-Policy: no-referrer on all responses
- POST-only logout with JSON content-type (CSRF-safe)
- System tray "Copy dashboard token" action
- Login page shows contextual help (console/tray/log file path)
- Path traversal protection via path.Clean
- X-Forwarded-Host/Port/Proto support for reverse proxy deployments
- Full i18n support (English, Chinese)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/frontend/src/features/chat/websocket.ts

@@ -14,6 +14,18 @@ export function normalizeWsUrlForBrowser(wsUrl: string): string {
     if (isLocalHost && !isBrowserLocal) {
       parsedUrl.hostname = window.location.hostname
       finalWsUrl = parsedUrl.toString()
+    } else if (
+      isLocalHost &&
+      isBrowserLocal &&
+      parsedUrl.hostname !== window.location.hostname &&
+      (parsedUrl.hostname === "127.0.0.1" ||
+        parsedUrl.hostname === "localhost") &&
+      (window.location.hostname === "127.0.0.1" ||
+        window.location.hostname === "localhost")
+    ) {
+      // Same machine, but cookies are host-specific; match the page origin.
+      parsedUrl.hostname = window.location.hostname
+      finalWsUrl = parsedUrl.toString()
     }
   } catch (error) {
     console.warn("Could not parse ws_url:", error)