Workspace Terminal tab: xterm front end + short-lived token route

- New Terminal tab in the workspace shell, backed by xterm.js, that connects
  to the worker's PTY WebSocket using a short-lived token minted by
  /api/agent-jobs/:id/terminal-token (owner-auth'd, never exposes the worker
  secret to the browser)
- Site-matched xterm theme (light/dark, live theme switching), Victor Mono,
  binary stdin + JSON resize protocol, reconnect, graceful 'not configured'
  state when NEXT_PUBLIC_SPOON_AGENT_WORKER_WS_URL is unset
- env: NEXT_PUBLIC_SPOON_AGENT_WORKER_WS_URL (client), SPOON_AGENT_TERMINAL_SECRET

apps/next/src/app/api/agent-jobs/[jobId]/terminal-token/route.ts

@@ -0,0 +1,18 @@
+import { NextResponse } from 'next/server';
+import { mintTerminalToken, withOwnedJob } from '@/lib/agent-worker-proxy';
+
+export const GET = async (
+  _request: Request,
+  context: { params: Promise<{ jobId: string }> },
+) =>
+  await withOwnedJob(context, (jobId) => {
+    const minted = mintTerminalToken(jobId);
+    return Promise.resolve(
+      minted
+        ? NextResponse.json(minted)
+        : NextResponse.json(
+            { error: 'Terminal is not configured on this deployment.' },
+            { status: 503 },
+          ),
+    );
+  });