#23742: Gateway: add optional mTLS client-cert enforcement for non-loopback TLS

## Summary - add `gateway.tls.clientCaPath` to schema/types for explicit client-certificate CA configuration - enable mTLS (`requestCert` + `rejectUnauthorized`) when TLS is enabled, bind is non-loopback, and `clientCaPath` is configured - preserve legacy fallback compatibility to `gateway.tls.caPath` when mTLS is requested - add gateway e2e coverage proving non-loopback TLS rejects clients without certs and accepts clients with a valid cert chain - add deterministic PEM test fixtures for mTLS e2e coverage ## Testing - pnpm check - pnpm test:e2e test/gateway.mtls.e2e.test.ts <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds optional mutual TLS (mTLS) support for non-loopback gateway bindings by introducing a new `gateway.tls.clientCaPath` configuration option. When a non-loopback bind address (e.g., LAN) is used with TLS enabled and `clientCaPath` is configured, the gateway will enforce client certificate verification. The implementation preserves backward compatibility by falling back to `gateway.tls.caPath` when `clientCaPath` is not specified. Comprehensive e2e tests verify that client connections without certificates are rejected and those with valid certificates are accepted. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The implementation is straightforward and well-tested. The mTLS logic correctly gates client certificate enforcement to non-loopback bindings only, preserving existing behavior for loopback connections. The test coverage validates both rejection and acceptance paths, and the backward compatibility fallback to `caPath` is properly implemented. Only minor redundant code identified. - No files require special attention _{Last reviewed commit: b81dc4d} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->