feat: LAN mode with rotating single-use 30s invite tokens

[Blaise1030]

This PR implements secure LAN access using a rotating single-use invite token (30s lifetime).

Changes

Rotating Invite Tokens

• New logic in lan.Manager generates a cryptographically secure random token that rotates every 30 seconds.
• Token is single-use: immediately invalidated on successful /auth/local consumption.
• Old tokens are void after their 30s window.

QR Code + Invite Flow

• QR in Settings → Network now encodes http://LAN-IP:port/?invite=TOKEN
• Frontend detects ?invite (or ?token) param on load, passes it to ensureLocalAuth.
• URL is cleaned after successful validation (history.replaceState).
• Live polling refreshes the invite URL/QR while on the settings page.

Auth Hardening for LAN

• /auth/local now accepts optional { \"token\": \"...\" } body.
• With valid token → authenticated (and token consumed).
• Without token → only strict loopback (127.0.0.1 etc.) is allowed.
• Private LAN IPs no longer auto-authenticate; an invite token is required.

LAN Binding

• --lan / --expose flag binds to 0.0.0.0 and advertises discovered private IPs.
• NetworkSettings response now includes lanMode, lanUrls, lanIps, and inviteUrl.

Mobile UI Improvements

• On ≤ 768px: sidebar defaults collapsed (uses existing Sheet).
• Split aux panels (explorer/git) are hidden in favor of full-page router views.
• Uses h-dvh and responsive logic for better small-screen experience.

How to Test

pnpm build
cd apps/server-go
go run ./cmd/workbench-cli --lan --http -y

1. Open app → Settings → Network → observe rotating invite link + QR.
2. Copy/scan the invite URL from another device or incognito tab on same LAN.
3. Verify auth succeeds and token is one-time use.

Desktop localhost flow remains unchanged for convenience.

Related

• Addresses original request for LAN mode + mobile friendliness.
• Invite token mechanism requested to move beyond pure IP-based trust.