Add dashboard TLS and allowed-host flags

[anitguru]

Summary

• Add hermes dashboard --tls-cert and --tls-key flags that pass Uvicorn ssl_certfile / ssl_keyfile options for direct HTTPS serving.
• Add repeatable/comma-separated --allowed-host values so LAN/all-interface dashboard binds can fail closed for unlisted Host headers while preserving existing default behavior when no allowlist is configured.
• Update dashboard URL display/browser-open scheme and use wss:// for the dashboard PTY sidecar URL when TLS is enabled.
• Document the new flags in the CLI reference and web dashboard guide.

Verification

• scripts/run_tests.sh tests/hermes_cli/test_web_server.py tests/hermes_cli/test_web_server_host_header.py → 157 passed
• python -m py_compile hermes_cli/web_server.py hermes_cli/main.py
• ruff check hermes_cli/web_server.py hermes_cli/main.py tests/hermes_cli/test_web_server_host_header.py
• python -m hermes_cli.main dashboard --help | grep -E -- '--tls-cert|--tls-key|--allowed-host'
• git diff --check
• Manual smoke: generated a temporary self-signed cert, launched hermes dashboard --host 127.0.0.1 --port 19443 --no-open --tls-cert ... --tls-key ..., and verified curl --noproxy '*' --max-time 10 -k https://127.0.0.1:19443/api/status returned HTTP 200.
• Independent pre-commit code review: passed; no blocking security or logic concerns.