Token-based authentication for the web console.

Generates a random token on first startup, persists it to ~/.vibe/web-token (mode 0600). The token is checked on every request — passed as ?token=xxx query param on first visit, then stored in a session cookie.