feat(stream): on-demand frame thumbnails via /thumbnail (hueco medio)

Add GET /thumbnail to the agent stream server: ffmpeg extracts one frame
at a timestamp (-ss before -i, single-frame MJPEG to stdout) for the web's
file-characteristics panel. Auth via a token scoped thumb:<sha256(path)>
(same HMAC scheme as /stream and /hls; the web mints, the agent verifies),
clamped to a real regular file, 404-no-oracle on a bad token, 20s timeout.
ffmpeg path wired into the stream server from the daemon. Version -> 0.13.0.

internal/engine/stream_token.go

@@ -49,6 +49,17 @@ const (
 // id means a token minted for one session never validates another.
 func streamScopeHLS(sessionID string) string { return "hls:" + sessionID }
 
+// streamScopeThumb is the token scope for a single-frame thumbnail of a
+// specific file (the web's "file characteristics" panel). Binding the file
+// path's SHA-256 into the scope means a token minted for one file never
+// validates a thumbnail request for another — a leaked thumbnail URL exposes
+// only the one frame-source it was signed for. The web mints the matching
+// scope in src/lib/stream-token.ts (streamScopeThumb), byte-for-byte.
+func streamScopeThumb(filePath string) string {
+	sum := sha256.Sum256([]byte(filePath))
+	return "thumb:" + hex.EncodeToString(sum[:])
+}
+
 // newStreamSecret returns 32 cryptographically-random bytes used to sign stream
 // tokens for the lifetime of the daemon. Regenerated each start, so tokens from
 // a previous run stop validating (the web re-resolves the URL on demand).