#23403: Discovery: gate non-loopback full mDNS mode

## Summary - enforce effective mDNS discovery mode for non-loopback binds: - keep `minimal` as safe default - require `OPENCLAW_DISCOVERY_ALLOW_FULL_MDNS=1` to honor `discovery.mdns.mode="full"` - otherwise fall back to `minimal` with an explicit warning - thread gateway bind mode into discovery runtime mode resolution - add audit findings for `discovery.mdns.mode="full"` on non-loopback binds: - `critical` when unconfirmed - `warn` when explicitly confirmed - add unit tests for discovery mode resolution and audit checks - update discovery/security docs with the new explicit-confirm behavior ## Testing - pnpm test src/gateway/server-discovery-runtime.test.ts src/gateway/server-discovery.test.ts - pnpm exec vitest run src/security/audit.test.ts -t "mDNS full mode" <!-- greptile_comment --> <h3>Greptile Summary</h3> enforced explicit confirmation for mDNS full mode on non-loopback binds via `OPENCLAW_DISCOVERY_ALLOW_FULL_MDNS=1`, with runtime fallback to minimal mode when unconfirmed - added `resolveEffectiveMdnsMode` to gate full mode on non-loopback binds - added security audit checks for unconfirmed (`critical`) and confirmed (`warn`) full mode on non-loopback binds - added comprehensive unit tests for mode resolution and audit checks - updated docs with explicit-confirm behavior **Issue found:** wide-area discovery path (line 121) bypasses the minimal mode check by calling `resolveBonjourCliPath()` directly instead of using the `cliPath` variable computed on line 72, exposing CLI path metadata even in minimal mode <h3>Confidence Score: 3/5</h3> - safe to merge with one logic bug that needs fixing - implementation correctly gates mDNS full mode for the Bonjour path, but the wide-area discovery path bypasses this check and leaks `cliPath` metadata even in minimal mode; comprehensive test coverage for the main code path but no tests for wide-area discovery behavior - src/gateway/server-discovery-runtime.ts:121 (logic bug in wide-area discovery path) _{Last reviewed commit: 2b01a6f} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->