#9988: feat(gateway): add overlay, zerotier, and wireguard bind modes

## Summary - Add three new gateway bind modes: `zerotier`, `wireguard`, and `overlay` (generic auto-detect) - Extract Tailscale-specific auth code from `auth.ts` into `auth-tailscale.ts` for cleaner boundaries - New `pickOverlayIPv4()` detection module that identifies overlay network interfaces by name prefix (`zt*`, `wg*`, `nebula*`) or IP range (Tailscale CGNAT) Four tiers of specificity: ``` --bind tailnet → Tailscale only (existing) --bind zerotier → ZeroTier only (new) --bind wireguard → WireGuard only (new) --bind overlay → auto-detect any (new) — covers Tailscale, ZeroTier, WireGuard, Nebula ``` ### New files - `src/infra/overlay-net.ts` — overlay network detection (`pickOverlayIPv4`) - `src/infra/overlay-net.test.ts` — 11 tests covering all detection strategies - `src/gateway/auth-tailscale.ts` — extracted Tailscale auth functions ### Changes across - Config types + zod schema (new bind modes + `overlayInterface` field) - Gateway `net.ts` bind host resolution + local address detection - CLI validation, doctor security, daemon status, onboarding, configure prompts - macOS Swift `GatewayEndpointStore` (supported modes + host resolution) - Docs: `gateway.md`, `configuration.md`, `network-model.md` ## Test plan - [x] `tsc --noEmit` — no new type errors - [x] `oxlint` — 0 warnings, 0 errors on all changed files - [x] `oxfmt --check` — all formatted - [x] `vitest run` — 11 new overlay-net tests pass, 7 auth tests pass, 225 total gateway/infra/config tests pass 🤖 Co-authored with [Claude Code](https://claude.com/claude-code) powered by an enormous lobster-biscuit. ## Existing Functionality Check I searched the codebase for existing functionality before implementing this.