#9881: chore(compose): harden gateway (localhost ports, limits, logging, healthcheck)

Harden gateway bindings to localhost in compose (safer defaults) Add limits/logging and a healthcheck for gateway Fix WS connect auth resolution from cookie on upgrade Minor infra tweak: omit port on https canvas host URL <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR hardens the Docker Compose gateway by binding exposed ports to localhost, adding container memory limits/logging rotation, and introducing a TCP healthcheck. It also adjusts gateway WS connect authentication handling and changes canvas host URL formatting to omit the port on HTTPS. Main integration points are the compose runtime defaults (`docker-compose.yml`), the WS handshake path in `src/gateway/server/ws-connection/message-handler.ts` (connect/auth), and URL generation in `src/infra/canvas-host-url.ts` (used wherever the canvas host URL is surfaced to clients). <h3>Confidence Score: 2/5</h3> - Not safe to merge as-is due to a WS handler compile/runtime breakage. - The WS message handler introduces an undefined helper and redeclares auth variables, which will either fail typechecking/build or crash on the first connect handshake. The canvas URL change also breaks HTTPS deployments on non-default ports. - src/gateway/server/ws-connection/message-handler.ts, src/infra/canvas-host-url.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->