#23008: Fix prototype pollution in mergeConfigSection and add deepMerge coverage

## Problem `mergeConfigSection` in `src/config/merge-config.ts` iterates `Object.entries(patch)` without filtering dangerous property names. A `__proto__` or `constructor` key in a JSON-parsed patch object will be assigned directly (`result["__proto__"] = value`), which can mutate `Object.prototype` for the entire process. This function is called on every config section merge (e.g. during `gateway config.patch` and runtime config updates), making it reachable through the config write paths. The sibling functions already have guards: - `deepMerge` (includes.ts) — guarded via `isBlockedObjectKey` (PR #8078) - `applyMergePatch` (merge-patch.ts) — guarded in PR #22968 `mergeConfigSection` was the remaining unprotected merge function. ## Fix Add a `BLOCKED_KEYS` set and skip `__proto__`, `constructor`, and `prototype` keys in the merge loop, consistent with the approach in #22968. ## Tests - `src/config/merge-config.proto-pollution.test.ts`: 2 tests covering `__proto__` and `constructor` keys in `mergeConfigSection` - `src/config/includes.deep-merge-proto.test.ts`: 3 tests confirming the existing `isBlockedObjectKey` guard in `deepMerge` holds for `__proto__`, `constructor`, and nested injection (no code change needed) <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds prototype pollution protection to `mergeConfigSection` by filtering `__proto__`, `constructor`, and `prototype` keys, aligning with the existing protection in `deepMerge`. The fix prevents malicious config patches from mutating Object.prototype during config merges. Comprehensive tests verify both the new protection in `mergeConfigSection` and existing guards in `deepMerge`. <h3>Confidence Score: 5/5</h3> - Safe to merge - critical security fix with thorough test coverage - The implementation correctly mirrors the protection pattern used in `deepMerge` (via `isBlockedObjectKey`), uses the exact same set of blocked keys, and includes comprehensive tests that verify both `__proto__` and `constructor` keys are properly filtered. The fix closes a real security vulnerability in a config merge path. - No files require special attention _{Last reviewed commit: f9f30a4} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->