refactor(desktop): split kernel_commands/pipeline_commands into modules, add SaaS client libs and gateway modules

Split monolithic kernel_commands.rs (2185 lines) and pipeline_commands.rs (1391 lines)
into focused sub-modules under kernel_commands/ and pipeline_commands/ directories.
Add gateway module (commands, config, io, runtime), health_check, and 15 new
TypeScript client libraries for SaaS relay, auth, admin, telemetry, and kernel
sub-systems (a2a, agent, chat, hands, skills, triggers).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

start-all.ps1

@@ -233,7 +233,8 @@ if (-not $NoSaas) {
         # Check if zclaw-saas binary exists
         $saasBin = "$ScriptDir\target\debug\zclaw-saas.exe"
         $saasBinRelease = "$ScriptDir\target\release\zclaw-saas.exe"
-        $saasExe = if (Test-Path $saasBinRelease) { $saasBinRelease } elseif (Test-Path $saasBin) { $saasBin } else { $null }
+        # Dev mode: prefer debug binary (allows JWT fallback); Release mode: prefer release binary
+        $saasExe = if ($Dev -and (Test-Path $saasBin)) { $saasBin } elseif (Test-Path $saasBinRelease) { $saasBinRelease } elseif (Test-Path $saasBin) { $saasBin } else { $null }
 
         if ($saasExe) {
             ok "SaaS backend binary found: $saasExe"
@@ -241,6 +242,12 @@ if (-not $NoSaas) {
 
             if ($Dev) {
                 $env:ZCLAW_SAAS_DEV = "true"
+                if (-not $env:DB_PASSWORD) {
+                    $env:DB_PASSWORD = "123123"
+                }
+                if (-not $env:ZCLAW_SAAS_JWT_SECRET) {
+                    $env:ZCLAW_SAAS_JWT_SECRET = "dev-only-insecure-jwt-secret-32ch"
+                }
             }
             $proc = Start-Process -FilePath $saasExe -PassThru -WindowStyle Minimized
             $Jobs += $proc