fix: harden dashboard and inspect local control planes

[Muhtasham]

Summary

• build on upstream Require same-origin stream commands #1355, which already fixed the per-session /api/command relay issue from Per-session /api/command should require same-origin or token auth #1344
• reject cross-origin requests before dispatching dashboard control-plane POST routes (/api/exec, /api/sessions, /api/kill)
• stop emitting wildcard CORS on standalone dashboard API responses
• require same-origin Origin or Referer before /api/sessions can spawn browser sessions
• require same-origin Origin for dashboard WebSocket proxy routes when a browser Origin is present
• require a generated capability token and local browser Origin for inspect-mode DevTools WebSocket handshakes
• add unit coverage for shared same-origin HTTP helpers, dashboard WebSocket origin checks, /api/sessions rejection, and inspect-mode token/origin checks

Fixes #1345.
Fixes #1347.

Validation

• cargo fmt --manifest-path cli/Cargo.toml -- --check
• cargo test --manifest-path cli/Cargo.toml native::stream::http::tests -- --test-threads=1 --nocapture
• cargo test --manifest-path cli/Cargo.toml native::stream:: -- --test-threads=1 --nocapture
• cargo test --manifest-path cli/Cargo.toml native::inspect_server::tests -- --nocapture
• cargo clippy --manifest-path cli/Cargo.toml -- -D warnings
• Runtime dashboard smoke on port 4860: evil-origin preflight and POST to /api/exec now return 403 without CORS; same-origin POST still returns 200.

[vercel]

@Muhtasham is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

Additional Suggestion:

WebSocket connections in dashboard.rs lack DNS rebinding protection that was added to http.rs, allowing attackers to bypass same-origin checks via DNS rebinding attacks.