feat(server): add host option for web server

[tt-a1i]

Related Issue

Resolve #908

Related: #900

Problem

kimi web and kimi server run always bind the web server to 127.0.0.1, so the Web UI cannot be reached from another device on the same LAN or over VPN/Tailscale.

What changed

• Add --host <host> to kimi server run and the top-level kimi web alias.
• Keep the default host as 127.0.0.1.
• Pass the selected host through foreground startup and the background daemon spawner.
• Reuse the actual daemon lock host when printing the ready banner, so reusing an existing daemon does not report the newly requested host by mistake.
• Show trusted network only in the ready banner for non-loopback binds.
• Add a minor changeset for @moonshot-ai/kimi-code.

Checklist

• I have read the CONTRIBUTING document.
• I have linked a related issue, or explained the problem above.
• I have added tests that prove my feature works.
• Added .changeset/server-host-option.md for @moonshot-ai/kimi-code.
• No docs update needed for the first cut; the CLI help now exposes the new option and the ready banner warns on non-loopback binds.

Test Plan

• pnpm --filter @moonshot-ai/kimi-code exec vitest run test/cli/server/server.test.ts
• pnpm --filter @moonshot-ai/kimi-code typecheck
• pnpm exec oxlint --type-aware apps/kimi-code/src/cli/sub/server/run.ts apps/kimi-code/src/cli/sub/server/daemon.ts apps/kimi-code/test/cli/server/server.test.ts
• pnpm --filter @moonshot-ai/kimi-code build
• git diff --check
• Subagent review: no blocking findings; added the trusted-network warning from the review note.

AI Assistance Disclosure

I used Codex to review the changes, sanity-check the implementation against existing patterns, and help spot potential edge cases.

[changeset-bot]

🦋 Changeset detected

Latest commit: 976a6a0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@moonshot-ai/kimi-code	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 71fb0e0f3e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Bracket IPv6 hosts before probing daemon health

When --host is an IPv6 bind such as :: or ::1, the daemon can write that value into the lock, but this new host propagation then feeds the raw lock host into serverOrigin, which formats it as http://${host}:${port}. That produces invalid URLs like http://:::58627, so isServerHealthy/waitForServerHealthy never succeed and kimi web --host :: times out even though the detached server is running; IPv6 hosts need to be bracketed (and :: mapped to a connectable loopback like [::1]) before probing/opening.

Useful? React with 👍 / 👎.

[tt-a1i]

fixed, thanks. server origins now normalize bind-any hosts to a connectable loopback and bracket IPv6 literals, so :: probes/open URLs go through http://[::1]:port. also covered the shared origin helper and daemon lock-host path in tests.