feat(daemon): configurable port and listen address (#79)

[Nic-dorman]

Closes #79.

Summary

• ant node daemon start and the hidden daemon run gain --port <PORT> and --listen-addr <IP> flags.
• Defaults unchanged: loopback (127.0.0.1) + OS-assigned port. --port 0 is accepted as an explicit OS-assigned request.
• Flags are forwarded from the detached start path to the spawned run child via a new daemon_run_args helper in ant-core::node::daemon::client.
• When the daemon is already running and the user passes overrides, the CLI prints a note explaining that the running daemon must be stopped first to apply the new bind settings.

Use case

The issue reporter is running the daemon in a Docker container and needs a predictable port for docker run -p. With this change:

docker run -d -p 8765:8765 my/ant-image \
    ant node daemon start --listen-addr 0.0.0.0 --port 8765

Security note (in the README and clap help)

The daemon has no authentication. Binding to a non-loopback address exposes node-management — start, stop, reset, registry mutation — to anyone who can reach the port. The README and --listen-addr help text both call this out; users opt in deliberately by setting the flag.

Tests

• 5 new unit tests in ant-core/src/node/daemon/client.rs::tests covering the args-builder (default, explicit port, explicit listen addr, both, explicit 0).
• New integration test server_binds_to_pinned_port in ant-core/tests/daemon_integration.rs: probes a free loopback port, asks the server to pin it, and asserts both the bound SocketAddr and the daemon.port file agree.
• cargo fmt, cargo clippy --all-targets --all-features -- -D warnings, and the daemon test slices all pass on Windows. cargo test --all has one pre-existing failure (save_snapshot_to_unwritable_dir_does_not_panic in adaptive.rs) that also fails on main and is unrelated to this change.

E2E skill update

.claude/skills/e2e-node-management-test/SKILL.md gains Step 5.4 "Pinned-port flag round-trip" which stops the daemon, restarts it with --port 18765, verifies daemon status reports exactly that port, then restores the OS-assigned default for the remaining phases.

Test plan

• Run the e2e-node-management-test skill against a real testnet on Linux/macOS to confirm the new Step 5.4 passes outside of Windows.
• Spot-check the Docker example in the README: docker run -p 8765:8765 ... ant node daemon start --listen-addr 0.0.0.0 --port 8765 and confirm curl host:8765/api/v1/status works from outside the container.
• Confirm clap help renders the non-loopback warning legibly in your terminal.

Out of scope (worth follow-up issues if there's demand)

• Supporting bind to a specific non-loopback IP that isn't 0.0.0.0. Today the client URL construction hard-codes 127.0.0.1, which is fine for 0.0.0.0 listeners but won't reach a daemon bound to e.g. 192.168.1.5. Would require the port file (or a sibling file) to carry host:port.
• Auth on the daemon API. Pre-existing gap; this PR surfaces it via the warning but doesn't address it.