feat: support default network interface binding and persist SSL certificate paths

[arjo129]

🎉 New feature

Closes #

Summary

Split out from #3590, this PR changes the WebSocket server's default listening address from 0.0.0.0 to 127.0.0.1 (localhost).

Binding to 0.0.0.0 exposes the server to all network interfaces, opening the door to remote exploits like the one detailed in #3589. Restricting the default to 127.0.0.1 ensures a "secure by default" posture, limiting access to local traffic only.

Streamlined Review: Isolating this from #3590 allows us to land this critical security hardening measure immediately without it being blocked by broader feature work.

Backport Recommendation: Breaks behaviour, don't backport

Ive also bundled in some lifetime related fixes.

Test it

Checklist

• Signed all commits for DCO
• Added a screen capture or video to the PR description that demonstrates the feature
• Added tests
• Added example and/or tutorial
• Updated documentation (as needed)
• Updated migration guide (as needed)
• Consider updating Python bindings (if the library has them)
• codecheck passed (See contributing)
• All tests passed (See test coverage)
• Updated Bazel files (if adding new files). Created an issue otherwise.
• While waiting for a review on your PR, please help review another open pull request to support the maintainers
• Was GenAI used to generate this PR? If so, make sure to add "Generated-by" to your commits. (See this policy for more info.)

Generated-by: Remove this if GenAI was not used.

Note to maintainers: Remember to use Squash-Merge and edit the commit message to match the pull request summary while retaining Signed-off-by and Generated-by messages.

Backports: If this is a backport, please use Rebase and Merge instead.

[iche033]

checking if we actually need to introduce 2 new parameters or if we could just have one, e.g. <address> and just document that here that it also means iface - given that they both get parsed and stored in the same variable