fix(security): centralize owner-only tool gating and scope maps

src/gateway/method-scopes.test.ts

@@ -1,8 +1,10 @@
 import { describe, expect, it } from "vitest";
 import {
   authorizeOperatorScopesForMethod,
+  isGatewayMethodClassified,
   resolveLeastPrivilegeOperatorScopesForMethod,
 } from "./method-scopes.js";
+import { coreGatewayHandlers } from "./server-methods.js";
 
 describe("method scope resolution", () => {
   it("classifies sessions.resolve as read and poll as write", () => {
@@ -48,3 +50,12 @@ describe("operator scope authorization", () => {
     });
   });
 });
+
+describe("core gateway method classification", () => {
+  it("classifies every exposed core gateway handler method", () => {
+    const unclassified = Object.keys(coreGatewayHandlers).filter(
+      (method) => !isGatewayMethodClassified(method),
+    );
+    expect(unclassified).toEqual([]);
+  });
+});