feat: private hostname guard for authenticated/private mode

Reject requests from unrecognised Host headers when running
authenticated/private. Adds server middleware, CLI `allowed-hostname`
command, config-schema field, and prompt support for configuring
allowed hostnames during onboard/configure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

doc/CLI.md

@@ -2,7 +2,7 @@
 
 Paperclip CLI now supports both:
 
-- instance setup/diagnostics (`onboard`, `doctor`, `configure`, `env`)
+- instance setup/diagnostics (`onboard`, `doctor`, `configure`, `env`, `allowed-hostname`)
 - control-plane client operations (issues, approvals, agents, activity, dashboard)
 
 ## Base Usage
@@ -37,6 +37,12 @@ Current CLI behavior:
 
 Target behavior (planned) is documented in `doc/DEPLOYMENT-MODES.md` section 5.
 
+Allow an authenticated/private hostname (for example custom Tailscale DNS):
+
+```sh
+pnpm paperclip allowed-hostname dotta-macbook-pro
+```
+
 All client commands support:
 
 - `--api-base <url>`

doc/DEVELOPING.md

@@ -37,6 +37,12 @@ pnpm dev --tailscale-auth
 
 This runs dev as `authenticated/private` and binds the server to `0.0.0.0` for private-network access.
 
+Allow additional private hostnames (for example custom Tailscale hostnames):
+
+```sh
+pnpm paperclip allowed-hostname dotta-macbook-pro
+```
+
 ## One-Command Local Run
 
 For a first-time local install, you can bootstrap and run in one command: