feat(rotate): persist current password; add token-protected API

* RotatePasswords now stores the active wordlist entry as
  unifi.password_rotation.last_password whenever a whole-SSID rotation
  succeeds. Per-PPSK rotation continues to store passwords on each
  PPSK row as before.
* Settings → Tasks tab surfaces the current password in bold beneath
  the wordlist textarea so operators can quickly check what's live.
* New JSON endpoint GET /api/unifi/wifi/current-password returns
  {"password": "...", "rotated_at": "..."}. Protected by a token stored
  in unifi.api_token — pass as Authorization: Bearer <token> or
  ?token=<token>. 401 on bad/missing token, 503 if no token is
  configured, 404 if no rotation has happened yet.
* Settings page lets super-admins Generate / Regenerate / Clear the
  token. Generated tokens are 48-char hex from bin2hex(random_bytes(24)).
* The endpoint lives outside the web/auth middleware so external
  signage / kiosks can hit it without a session cookie.

v1.6.2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Console/RotatePasswords.php

@@ -68,6 +68,9 @@ class RotatePasswords extends Command
 
             if ($rotated) {
                 Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
+                // Persist the active password so it can be displayed in
+                // the Settings page and exposed via the API endpoint.
+                Setting::set('unifi.password_rotation.last_password', $password);
                 $this->info('Rotated password for ' . count($rotated) . ' SSID(s).');
             }