#23735: Gateway: add first-class wss validation and remote TLS guidance

## Summary - add a dedicated TLS gateway e2e test to validate secure `wss://` access and reject plaintext `ws://` on TLS-enabled gateway instances - extend gateway test helper config overrides so TLS options can be injected in e2e scenarios - add doctor security warning when gateway is exposed beyond loopback without TLS enabled, with explicit remediation commands - add doctor e2e coverage for plaintext-warning and TLS-enabled non-warning cases ## Testing - pnpm check - pnpm test:e2e src/gateway/server.tls.e2e.test.ts - pnpm test:e2e src/commands/doctor-security.e2e.test.ts <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR strengthens gateway security by adding comprehensive TLS validation and security warnings across the stack. **Key changes:** - Added mandatory TLS requirement for non-loopback gateway connections in all clients (iOS, Android, macOS, web UI) - Implemented `doctor` command warning when gateway is exposed without TLS, with explicit remediation guidance - Added dedicated e2e test validating secure `wss://` connections and rejecting plaintext `ws://` on TLS-enabled gateways - Extended webhook security utilities with improved proxy IP validation using CIDR support and IPv6 normalization - Added LINE webhook replay protection with event ID deduplication - Hardened Control UI device auth bypass checks with break-glass env var requirements <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with thorough security hardening and comprehensive test coverage - The changes are well-architected with extensive test coverage across e2e tests, unit tests for all platforms (iOS, Android, macOS, Node.js), and consistent security patterns. The implementation follows defense-in-depth principles by enforcing TLS at multiple layers. Minor concerns include the complexity of IP normalization logic and CIDR matching which could benefit from additional edge case testing, but existing test coverage is strong. - Pay close attention to `extensions/voice-call/src/webhook-security.ts` for the CIDR matching logic and IP normalization functions _{Last reviewed commit: fe6f7b3} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->