security: lock dashboard to loopback, add token auth, sanitize process names, block path traversal

[svanack404]

Summary

• Binds the dashboard server to 127.0.0.1 by default (was 0.0.0.0)
• Generates a per-project token in .wolf/dashboard-token; required for all /api/* and WebSocket connections
• Threads the token through openwolf dashboard browser launch so normal usage is unaffected
• Updates openwolf cron run to send the token when calling the daemon
• Replaces PM2 shell command strings with argument-array calls (eliminates command injection surface)
• Sanitizes the PM2 process name derived from the project folder
• Blocks cron AI tasks from reading files outside the project root (path traversal)
• Refreshes dependencies; pnpm audit --prod --audit-level low reports no known vulnerabilities

Verification

Reviewed at commit bd69835. All checks passed on Node 22 / pnpm 10:

• pnpm audit --prod --audit-level low: clean
• pnpm exec tsc --noEmit: clean
• pnpm exec tsc -p tsconfig.hooks.json --noEmit: clean
• pnpm build: full success (670 modules, dashboard bundle built)

Test plan

• Run openwolf init in a test project and confirm .wolf/dashboard-token is created
• Run openwolf dashboard and confirm browser opens and dashboard loads
• Confirm direct /api/* requests without the token return 401
• Confirm openwolf cron run completes without error
• Confirm a cron AI task cannot read a file outside the project root

[svanack404]

Security hardening PR. Includes local dashboard token auth, loopback binding, safer daemon command execution, cron context path restrictions, and dependency audit cleanup.