b981cc0926
The localhost check using host header and x-forwarded-for was unreliable in the standalone Next.js server which may inject forwarded headers internally. Replace with a per-process random token shared between the PTY server and the API route via env var.