machine-derived token to authenticate to the local server without requiring an explicit API key. This enables zero-config local use while preserving security for remote access.

CLI side (): computes using and injects the result as the header on every call.
1. Server side (): accepts the token only if:
   is not
   • , , )
2. and other route guards call before checking API keys — so the CLI gets transparent localhost access without storing any credential.

		is per-device; on single-user desktops this is acceptable. Use in multi-user setups.
		).
		/. Rejected for any other IP.
		reads (Linux), (macOS), (Windows). Different per host.

in or the server environment to disable this mechanism entirely. All access then requires an explicit API key.

, the source IP, user-agent, path, and the first 8 characters of the machine-id hash (non-reversible).

header (from or ) always takes precedence over the CLI token and is evaluated first.

— CLI token generation
• — server validation
• — integration into auth pipeline
• — unit tests