feat: private hostname guard for authenticated/private mode

Reject requests from unrecognised Host headers when running
authenticated/private. Adds server middleware, CLI `allowed-hostname`
command, config-schema field, and prompt support for configuring
allowed hostnames during onboard/configure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cli/src/commands/configure.ts

@@ -48,6 +48,7 @@ function defaultConfig(): PaperclipConfig {
       exposure: "private",
       host: "127.0.0.1",
       port: 3100,
+      allowedHostnames: [],
       serveUi: true,
     },
     auth: {
@@ -131,7 +132,10 @@ export async function configure(opts: {
         break;
       case "server":
         {
-          const { server, auth } = await promptServer();
+          const { server, auth } = await promptServer({
+            currentServer: config.server,
+            currentAuth: config.auth,
+          });
           config.server = server;
           config.auth = auth;
         }