#13308: Security: address audit findings (gateway, CI, Docker)

## Summary This PR applies a set of security hardening changes identified during an internal audit (static review). Focus areas: gateway auth defaults, network exposure, error hygiene, rate limiting, Docker supply-chain hardening, and CI/workflow permissions. ## Key changes ### Gateway / API - Added rate limiting for HTTP endpoints (per IP/token) to reduce abuse/DoS risk. - Sanitized error responses to avoid leaking internal details. - Added request/payload validation improvements for hooks and other boundaries. ### Auth / Network - Added an option to require auth even on loopback for hardened deployments. - Tightened client IP resolution for forwarded headers (rightmost-untrusted approach). - Added safety warnings / fail-fast behavior when binding to LAN without auth (where applicable). ### Tool execution - Moved `system.run` out of the default allowlist into a “dangerous/opt-in” category. ### Container / CI - Hardened Docker build (reduced supply-chain risk; improved build structure). - Improved secret-handling guidance/structure in compose. - Re-enabled CI security checks and added explicit workflow permissions. ## Verification - [ ] `pnpm test` / `pnpm lint` (fill in what you ran) - [ ] `pnpm build` - CI: GitHub Actions ## Notes - This PR keeps vulnerability details minimal; happy to provide more context privately if needed per the project security policy.