fix(opencode): guard tui server exposure

[MaxMiksa]

Fixes #10973.

What does this PR do?

• Applies the same insecure-non-loopback guardrail to the TUI external-server path as serve/web.
• Adds --yes to skip confirmation prompts.

How did you verify your code works?

• bun test test/cli/exposure-guard.test.ts
• bun run typecheck

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

Potential Related PR Found:

[Security] Fix HIGH vulnerability: CVE-2025-58179
#10763

This PR may be related because it addresses a security vulnerability that could be related to server exposure issues. Given that PR #10974 mentions applying "insecure-non-loopback guardrail" to the TUI server and references fixing issue #10973, this CVE fix might be addressing a similar or broader security concern around server exposure.

I recommend reviewing PR #10763 to confirm whether it overlaps with or supersedes the changes in PR #10974.

[MaxMiksa]

Thanks — PR #10763 appears to be a broader CVE/security fix, but this PR is narrowly scoped to a specific user entrypoint.

opencode/TUI can start an external HTTP server when --hostname/--port/--mdns (or global config) enables it. This PR just applies the same insecure non-loopback guardrail already proposed for serve/web: require confirmation on TTY, refuse on non-TTY unless --yes is provided.

No attempt to overlap or replace CVE-related changes.

[github-actions]

Closing this pull request because it has had no updates for more than 60 days. If you plan to continue working on it, feel free to reopen or open a new PR.