feat: add token auth, login page, skill toggle, and route restructure

- Add token-based authentication with auto-generated token stored in server/data/.token
- Add login page with URL token auto-fill support
- Add route guards requiring auth for all pages except login
- Restructure routes: / for login, /chat for conversations
- Add skill enable/disable toggle via config.yaml skills.disabled
- Unify logo to /logo.png across sidebar, login, messages, and empty state
- Hide sidebar on login page, prevent flash with router.isReady()
- Fix session export JSON parse error when CLI returns non-JSON output
- Display token in CLI on server start

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/src/index.ts

@@ -15,6 +15,7 @@ import { fsRoutes } from './routes/filesystem'
 import { configRoutes } from './routes/config'
 import { weixinRoutes } from './routes/weixin'
 import * as hermesCli from './services/hermes-cli'
+import { getToken, authMiddleware } from './services/auth'
 
 const app = new Koa()
 const { restartGateway, startGateway, startGatewayBackground, getVersion } = hermesCli
@@ -28,6 +29,14 @@ let gatewayPid: number | null = null
 export async function bootstrap() {
   await mkdir(config.uploadDir, { recursive: true })
   await mkdir(config.dataDir, { recursive: true })
+
+  // Auth (after mkdir so data dir exists)
+  const authToken = await getToken()
+  if (authToken) {
+    app.use(await authMiddleware(authToken))
+    console.log(`🔐 Auth enabled — token: ${authToken}`)
+  }
+
   await ensureApiServerConfig()
   await ensureGatewayRunning()