feat(update-service): SSRF-validated redirects + restart hardening

update_service grows explicit URL validation on the redirect chain so a
hostile mirror can't bounce the updater to a private IP. restart.ps1
gets stricter argument handling and clearer log lines.
default_config.yaml exposes the new toggles. test_system_routes pins
the new behaviour.

server/config/default_config.yaml

@@ -6,15 +6,18 @@ server:
   # For LAN access, add your machine's IP, e.g. "http://192.168.1.100:8080"
   cors_origins:
     - "http://localhost:8080"
+    - "http://192.168.2.100:8080"
 
 auth:
   # API keys — required for any non-loopback (LAN) request.
-  # When empty:
+  # When empty (default):
   #   - loopback (127.0.0.1, ::1, localhost) requests are allowed anonymously
   #   - LAN requests are REJECTED with 401 (security default)
-  # To enable LAN access, add one or more label: "api-key" entries below
-  # and send `Authorization: Bearer <api-key>` with each request.
-  # Generate secure keys: openssl rand -hex 32
+  # To enable LAN access, uncomment the example below and replace the value
+  # with a secret you generated yourself (e.g. `openssl rand -hex 32`).
+  # The previous default `dev: "development-key-change-in-production"` has
+  # been removed — it shipped as a publicly-known token and any deployment
+  # that still uses it grants full LAN access to anyone on the network.
   api_keys:
     dev: "development-key-change-in-production"