Description
## Context
nimschatwidget runs as a standalone container on land, serving the chat backend for all NimsForest web tools. Currently it only supports same-origin usage (NimsForest services on land).
## Proposal
Make nimschatwidget embeddable on external org websites (orgname.mynimsforest.com) with proper security.
### Changes needed
- Embed token system: org registers allowed domains, gets a scoped token
- Origin allowlist validation (token -> allowed origins)
- Rate limiting per token / per IP on /chat/send
- Crypto-random session ID generation (server-side)
- Widget JS: support `baseURL` config (full URL for cross-origin), pass embed token in requests
- CORS headers based on token's allowed origins (not wildcard)
- Keep backward compat with `basePath` for same-origin NimsForest tools
### Security
- Embed token as primary auth gate
- Origin allowlist checked server-side
- Rate limiting on /chat/send
- Defense in depth: token + origin + rate limit
Nebula's reasoning: This feature enables nimschatwidget to serve external org websites (mynimsforest.com domains), which is a meaningful capability expansion. However, same-origin usage for NimsForest services already works, so no users are currently blocked. Medium priority reflects its importance for the external org use case without displacing any critical fixes.