#16963: fix: enable auth rate limiting by default

## Summary - Auth rate limiter was only created when explicitly configured, leaving the gateway unprotected by default - Changed to always create a rate limiter with sensible defaults unless explicitly set to `enabled: false` - Added `enabled` boolean to `GatewayAuthRateLimitConfig` type for explicit opt-out - Added tests for default and empty config scenarios Fixes #16876 ## Test plan - [x] Test rate limiter created with no config (default protection) - [x] Test rate limiter created with empty config object - [x] Existing rate limiter tests still pass - [x] Full test suite passes (`pnpm test:fast`, `pnpm check`) <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR fixes a security gap (#16876) where the gateway auth rate limiter was only created when `gateway.auth.rateLimit` was explicitly configured, leaving gateways unprotected by default against brute-force auth attempts. - **`src/gateway/server.impl.ts`**: Inverts the rate limiter creation logic from opt-in to opt-out. The limiter is now always created with sensible defaults (10 attempts, 60s window, 5min lockout) unless `rateLimit.enabled` is explicitly set to `false`. Passing `undefined` config to `createAuthRateLimiter()` correctly triggers all default values. - **`src/config/types.gateway.ts`**: Adds `enabled?: boolean` to `GatewayAuthRateLimitConfig` for explicit opt-out. - **`src/gateway/auth-rate-limit.test.ts`**: Adds two regression tests covering no-config and empty-config scenarios. The change is minimal and well-targeted. All downstream consumers already handle `rateLimiter` as optional (`AuthRateLimiter | undefined`), so the behavioral change is safe. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge — it closes a security gap with minimal, well-tested changes. - The change is a 3-file, 27-line addition that flips rate limiter creation from opt-in to opt-out. The logic is straightforward (`=== false` check), the `createAuthRateLimiter` function already handles `undefined` config with sensible defaults, all downstream consumers handle the limiter as optional, and regression tests cover the key scenarios. No risk of breakage for existing configurations. - No files require special attention. _{Last reviewed commit: 92a9a99} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->