fix(app-server): require auth for non-loopback binds

[cyq1017]

Fixes #3258

Summary

• reject non-loopback app-server binds when no explicit auth token is supplied
• keep loopback one-time token generation and explicit-token non-loopback binds unchanged
• add regression coverage for the default non-loopback/no-token path

Verification

• cargo fmt --check --all
• cargo test -p codewhale-app-server non_loopback -- --nocapture
• cargo test -p codewhale-app-server --lib --locked -- --nocapture
• cargo test --workspace --all-features --locked non_loopback -- --nocapture
• cargo clippy --workspace --all-features --locked -- -D warnings -A clippy::uninlined_format_args -A clippy::too_many_arguments -A clippy::unnecessary_map_or -A clippy::assertions_on_constants

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[gemini-code-assist]

Code Review

This pull request introduces a security check in resolve_auth_token that prevents the application server from binding to a non-loopback address unless an explicit authentication token is configured. It also adds a corresponding unit test to verify that attempting to bind to a non-loopback address without an explicit token fails as expected. There are no review comments, so no additional feedback is provided.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.