#22766: fix(security): enable gateway auth rate limiting by default (CWE-307)

## Summary Enable gateway authentication rate limiting by default whenever shared-secret auth is configured (`gateway.auth.token` or `gateway.auth.password`). Previously, rate limiting only applied when `gateway.auth.rateLimit` was explicitly set, leaving token/password auth vulnerable to brute-force attempts by default. ## Changes - Add `resolveGatewayAuthRateLimitConfig()` helper (`src/gateway/auth-rate-limit-config.ts`) - returns `undefined` when no shared secret auth is configured - returns explicit `gateway.auth.rateLimit` values when provided - otherwise returns default config object so `createAuthRateLimiter()` applies secure defaults - Wire resolver into `startGatewayServer()` (`src/gateway/server.impl.ts`) - Add unit tests (`src/gateway/auth-rate-limit-config.test.ts`) ## Security impact - Closes default-on brute-force gap for gateway token/password auth (CWE-307) - Maintains backward compatibility for explicit `gateway.auth.rateLimit` tuning ## Validation - `pnpm exec vitest run src/gateway/auth-rate-limit-config.test.ts src/gateway/auth-rate-limit.test.ts` Closes #14137 <!-- greptile_comment --> <h3>Greptile Summary</h3> Closes a CWE-307 brute-force gap by enabling gateway auth rate limiting by default whenever shared-secret auth (`token` or `password`) is configured, rather than requiring explicit `gateway.auth.rateLimit` configuration. - Adds `resolveGatewayAuthRateLimitConfig()` helper that returns a `RateLimitConfig` with `undefined` fields (letting `createAuthRateLimiter()` apply its safe defaults) when shared-secret auth is active, and `undefined` (no limiter) when it isn't - Wires the resolver into `startGatewayServer()` replacing the previous direct config read - Preserves backward compatibility: explicit `gateway.auth.rateLimit` values still take precedence - Import reordering in `server.impl.ts` is cosmetic (alphabetical sort), no imports added or removed beyond the new resolver <h3>Confidence Score: 5/5</h3> - This PR is safe to merge — it adds a secure default without breaking existing configurations. - The change is small, well-scoped, and purely additive in terms of security posture. The new resolver correctly matches auth mode to credential presence, preserves explicit user config, and the existing rate limiter creation path is unchanged. Import reordering is cosmetic. Tests cover all meaningful branches. No regressions or logical errors identified. - No files require special attention. _{Last reviewed commit: 75ec00d} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->