feat(stream)!: retire WebRTC, HLS-only, bump 0.9.4

Drops the custom WebRTC DataChannel pipeline + pion deps + WSS signaling
client + wire framing. Every in-browser playback now uses HLS over HTTP
from the daemon (Tailscale/LAN/UPnP). Browser P2P never re-enabled.

Wire renames (incompatible with web < 2026-05-26): agent.WebRTCSession
=> agent.StreamSession, SyncResponse.WebRTCSessions (JSON: webrtcSessions)
=> StreamSessions (JSON: streamSessions). MIN_AGENT_VERSION is bumped
to 0.9.4 on the web side so older agents see an upgrade card.

Also fixes the libx264 'VBV bitrate > level limit' abort by clamping
the encoder bitrate to the effective output height instead of the
requested label (carried over from the prior 0.9.3 unreleased work).

The seed_file vertical (mode=seed_file handler + engine.SeedFile) was
retired with the in-browser P2P player. [downloads.webrtc] config block
deleted; existing TOML files with the section still parse fine.

SECURITY.md

@@ -72,7 +72,7 @@ Docker Hub vulnerability count:
   package pulls ~40 codec/parser libraries (`x264`, `x265`, `libvpx`, `aom`,
   `dav1d`, `libtheora`, `libvorbis`, `libwebp`, `libbluray`, `libopenmpt`, …).
   Each carries a long NVD history that Alpine does not backport. ffmpeg is a
-  **functional dependency** — the WebRTC/HLS transcode pipeline shells out to
+  **functional dependency** — the HLS transcode pipeline shells out to
   `ffmpeg`/`ffprobe` to decode untrusted media and re-encode to H.264 + AAC.
 
 ### Accepted risk and policy
@@ -100,7 +100,7 @@ Recommended additions for exposed deployments:
       - no-new-privileges:true
 ```
 
-If you do not need WebRTC/HLS transcoding, you can run with transcoding disabled to
+If you do not need HLS transcoding, you can run with transcoding disabled to
 avoid feeding untrusted media to ffmpeg at all.
 
 ## Disclosure Policy