require auth token for non-loopback API binds

## Problem
API auth is optional and daemon currently only warns when binding to non-loopback without token.

## Evidence
- `src/api-server.ts:110` (auth guard conditional on token presence)
- `src/scripts/daemon.ts:2282` (warn-only for non-loopback without token)
- `src/onboarding.ts:421` (warn-only UX)

## Proposed Fix
- Fail fast: reject startup when `apiHost` is non-loopback and token is missing.
- Keep local loopback as token-optional default.
- Update onboarding/wizard messaging and validation accordingly.

## Acceptance Criteria
- Non-loopback binds cannot start without auth token.
- Loopback behavior remains easy for local-only usage.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

require auth token for non-loopback API binds #45

Problem

Evidence

Proposed Fix

Acceptance Criteria

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

require auth token for non-loopback API binds #45

Description

Problem

Evidence

Proposed Fix

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions