fix(configure): reject literal "undefined" and "null" gateway auth tokens (#13767)

* fix(configure): reject literal "undefined" and "null" gateway auth tokens

* fix(configure): reject literal "undefined" and "null" gateway auth tokens

* fix(configure): validate gateway password prompt and harden token coercion (#13767) (thanks @omair445)

* test: remove unused vitest imports in baseline lint fixtures (#13767)

---------

Co-authored-by: Luna AI <luna@coredirection.ai>
Co-authored-by: Peter Steinberger <steipete@gmail.com>

src/commands/configure.gateway-auth.ts

@@ -16,6 +16,18 @@ import { randomToken } from "./onboard-helpers.js";
 
 type GatewayAuthChoice = "token" | "password";
 
+/** Reject undefined, empty, and common JS string-coercion artifacts for token auth. */
+function sanitizeTokenValue(value: string | undefined): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  if (!trimmed || trimmed === "undefined" || trimmed === "null") {
+    return undefined;
+  }
+  return trimmed;
+}
+
 const ANTHROPIC_OAUTH_MODEL_KEYS = [
   "anthropic/claude-opus-4-6",
   "anthropic/claude-opus-4-5",
@@ -36,11 +48,12 @@ export function buildGatewayAuthConfig(params: {
   }
 
   if (params.mode === "token") {
-    // Guard against undefined/empty token to prevent JSON.stringify from writing the string "undefined"
-    const safeToken = params.token?.trim() || randomToken();
-    return { ...base, mode: "token", token: safeToken };
+    // Keep token mode always valid: treat empty/undefined/"undefined"/"null" as missing and generate a token.
+    const token = sanitizeTokenValue(params.token) ?? randomToken();
+    return { ...base, mode: "token", token };
   }
-  return { ...base, mode: "password", password: params.password };
+  const password = params.password?.trim();
+  return { ...base, mode: "password", ...(password && { password }) };
 }
 
 export async function promptAuthConfig(