#21964: Security: harden gateway and plugin trust boundaries

## Summary - harden gateway and plugin trust boundaries to reduce compromise risk by default - move HTTP tool exposure to explicit allowlist-only behavior - enforce plugin HTTP route namespacing and authenticated plugin namespace dispatch - tighten unsafe auth bypass paths behind explicit env gates - make plugin install code-safety scanning fail-closed (critical findings and scanner errors block install) - disable URL ingestion defaults for file/image paths unless explicitly enabled - add mTLS requirement toggle and enforce CA presence when enabled - expand security headers and align audit findings with hardened behavior ## Documentation - add comprehensive handoff report: - `docs/security/HARDENING-HANDOFF-2026-02-20.md` ## Validation - unit/security-focused tests: - `corepack pnpm vitest src/plugins/loader.test.ts src/gateway/server.plugin-http-auth.test.ts src/gateway/tools-invoke-http.test.ts src/security/audit.test.ts src/gateway/server-runtime-config.test.ts` - e2e/security-focused tests: - `corepack pnpm vitest run --config vitest.e2e.config.ts src/plugins/install.e2e.test.ts src/gateway/openai-http.e2e.test.ts src/gateway/openresponses-http.e2e.test.ts` - `corepack pnpm vitest run --config vitest.e2e.config.ts src/gateway/server.auth.e2e.test.ts` <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR implements comprehensive security hardening for OpenClaw's gateway and plugin trust boundaries. The changes systematically reduce attack surface by moving from permissive defaults to explicit allowlist-based controls across multiple subsystems. **Key Changes:** - HTTP tool exposure (`/tools/invoke`) now requires explicit allowlisting via `gateway.tools.allow` (previously deny-list based) - Plugin HTTP routes enforced to stay within `/plugins/<pluginId>/` or `/api/channels/` namespaces - Plugin HTTP dispatch now requires gateway authentication for all plugin namespaces - External plugins disabled by default (was auto-enabled for discovered plugins) - Plugin install code-safety scanning now fail-closed for critical findings and scanner errors - Insecure Control UI auth bypass flags blocked unless explicit env gate enabled - URL ingestion for files/images disabled by default (was enabled) - Session override header disabled by default, gated behind explicit env flag - Generated startup tokens no longer auto-persist (requires opt-in env flag) - Auth rate limiting always enforced with defaults - mTLS client certificate requirement toggle added with CA validation - Additional security headers: `X-Frame-Options`, `Permissions-Policy`, `Cross-Origin-Opener-Policy` **Security Impact:** These changes represent multiple breaking behavioral changes that significantly harden the default security posture. All changes are well-documented, properly gated behind environment variables where appropriate, and include comprehensive test coverage. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - All security hardening changes follow defense-in-depth principles with fail-safe defaults. Comprehensive test coverage (117 unit tests, 24 e2e tests) validates all hardening logic. Breaking changes are clearly documented with migration paths. The implementation consistently enforces security boundaries across gateway, plugin, and HTTP surfaces with no identified gaps. - No files require special attention _{Last reviewed commit: 8420066} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->