#22110: fix(tools): prefer loopback for internal tool-to-gateway RPC calls

When `gateway.bind` is `lan` or `tailnet`, internal tool calls (sessions_list, node.list, etc.) resolve to the LAN/tailnet IP instead of `127.0.0.1`. The CWE-319 security check (added in v2026.2.14) then blocks these as insecure plaintext connections, even though they're in-process with zero interception risk. This breaks all agent tool calls in Docker containers with `bind: "lan"`. **Root cause:** `resolveGatewayOptions()` left the URL undefined, deferring to `buildGatewayConnectionDetails()` which picks the bind-mode address. For internal calls, loopback is always correct since the gateway listens on `0.0.0.0` (which includes `127.0.0.1`). **Fix:** `resolveGatewayOptions()` now resolves to `ws(s)://127.0.0.1:<port>` for local mode. Remote mode still defers to `callGateway` for remote URL resolution. **Tests:** - Updated existing test: now expects loopback URL instead of undefined - Added test: remote mode still leaves URL undefined for remote resolution - All 7 tests pass Fixes #22104. <!-- greptile_comment --> <h3>Greptile Summary</h3> Fixed internal tool-to-gateway RPC calls that were incorrectly resolving to LAN/tailnet IPs instead of loopback when `gateway.bind` is set to `lan` or `tailnet`, causing the CWE-319 security check to block them as insecure plaintext connections. - Modified `resolveGatewayOptions()` in `gateway.ts:89-117` to explicitly resolve to `ws(s)://127.0.0.1:<port>` for local mode (respects TLS config) - Remote mode still leaves URL undefined for proper remote resolution by `callGateway` - Updated test to verify loopback URL resolution for local mode - Added test coverage for remote mode behavior <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The fix is targeted, well-tested, and correctly addresses the root cause. The loopback resolution is only applied to local mode (non-remote), which is the correct behavior. The CWE-319 check will now pass for internal calls since loopback is always secure. Remote mode still defers to `callGateway` as before. - No files require special attention _{Last reviewed commit: f0e2b98} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->