Security: Prevent gateway credential exfiltration via URL override (#9179)

* Gateway: require explicit auth for url overrides

* Gateway: scope credential blocking to non-local URLs only

Address review feedback: the previous fix blocked credential fallback for
ALL URL overrides, which was overly strict and could break workflows that
use --url to switch between loopback/tailnet without passing credentials.

Now credential fallback is only blocked for non-local URLs (public IPs,
external hostnames). Local addresses (127.0.0.1, localhost, private IPs
like 192.168.x.x, 10.x.x.x, tailnet 100.x.x.x) still get credential
fallback as before.

This maintains the security fix (preventing credential exfiltration to
attacker-controlled URLs) while preserving backward compatibility for
legitimate local URL overrides.

* Security: require explicit credentials for gateway url overrides (#8113) (thanks @victormier)

* Gateway: reuse explicit auth helper for url overrides (#8113) (thanks @victormier)

* Tests: format gateway chat test (#8113) (thanks @victormier)

* Tests: require explicit auth for gateway url overrides (#8113) (thanks @victormier)

---------

Co-authored-by: Victor Mier <victormier@gmail.com>

src/tui/gateway-chat.test.ts

@@ -0,0 +1,61 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const loadConfig = vi.fn();
+const resolveGatewayPort = vi.fn();
+
+vi.mock("../config/config.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("../config/config.js")>();
+  return {
+    ...actual,
+    loadConfig,
+    resolveGatewayPort,
+  };
+});
+
+const { resolveGatewayConnection } = await import("./gateway-chat.js");
+
+describe("resolveGatewayConnection", () => {
+  beforeEach(() => {
+    loadConfig.mockReset();
+    resolveGatewayPort.mockReset();
+    resolveGatewayPort.mockReturnValue(18789);
+  });
+
+  it("throws when url override is missing explicit credentials", () => {
+    loadConfig.mockReturnValue({ gateway: { mode: "local" } });
+
+    expect(() => resolveGatewayConnection({ url: "wss://override.example/ws" })).toThrow(
+      "explicit credentials",
+    );
+  });
+
+  it("uses explicit token when url override is set", () => {
+    loadConfig.mockReturnValue({ gateway: { mode: "local" } });
+
+    const result = resolveGatewayConnection({
+      url: "wss://override.example/ws",
+      token: "explicit-token",
+    });
+
+    expect(result).toEqual({
+      url: "wss://override.example/ws",
+      token: "explicit-token",
+      password: undefined,
+    });
+  });
+
+  it("uses explicit password when url override is set", () => {
+    loadConfig.mockReturnValue({ gateway: { mode: "local" } });
+
+    const result = resolveGatewayConnection({
+      url: "wss://override.example/ws",
+      password: "explicit-password",
+    });
+
+    expect(result).toEqual({
+      url: "wss://override.example/ws",
+      token: undefined,
+      password: "explicit-password",
+    });
+  });
+});