fix(dashboard): allow desktop websocket origins on remote binds

[DanBennettUK]

Summary

• allow authenticated dashboard WebSocket upgrades from Electron/Desktop non-web origins (file://, null, app://, hermes://) when the dashboard is explicitly bound to a non-loopback host
• keep Host-header validation in place so the request must still target the bound dashboard interface
• keep token/ticket validation in place and continue rejecting hostile http/https origins

Context

Hermes Desktop can connect from an Electron renderer origin such as file://. When using the dashboard remotely over a trusted private transport, the dashboard may be bound to a specific non-loopback address instead of localhost. The previous WebSocket origin guard rejected those Desktop origins with 403 even when a valid dashboard session token was supplied.

This is framed as authenticated Desktop remote access rather than a Tailscale-specific special case.

Test plan

• python -m py_compile hermes_cli/web_server.py
• python -m pytest tests/hermes_cli/test_web_server_host_header.py -q -o 'addopts='\n\nLocal result: 17 passed, 1 warning.\n

[DanBennettUK]

Closing this as superseded by the recent upstream Desktop/WebSocket origin changes.

The current implementation of hermes_cli.web_server._ws_host_origin_is_allowed already accepts authenticated non-web Desktop origins such as file://, null, and custom app schemes across the relevant modes, while still host-checking normal browser/http origins. That covers the issue this PR was trying to fix, so no need for maintainers to spend time reviewing this branch.

Thanks!