851fed4739
TOKEN_AUTH: when the server has a V2 private key, signs "SN|valid(0/1)" with ECDSA P-256 and places "sig:<base64>" in the response reserved field. Clients can verify server identity without changing the request format. TOKEN_SERVER_VERIFY (251): added constant to commands.h; handler already present in 2015RemoteDlg.cpp for the challenge-response server identity check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>