fix(security): sanitize error responses to prevent information leakage (#5)

* fix(security): sanitize error responses to prevent information leakage

Replace raw error messages in HTTP responses with generic messages.
Internal error details (stack traces, module paths, error messages)
were being returned to clients in 4 gateway endpoints.

* fix: sanitize 2 additional error response leaks in openresponses-http

Address CodeRabbit feedback: non-stream and streaming error paths in
openresponses-http.ts were still returning String(err) to clients.

* fix: add server-side error logging to sanitized catch blocks

Restore err parameter and add logWarn() calls so errors are still
captured server-side for diagnostics while keeping client responses
sanitized. Addresses CodeRabbit feedback about silently discarded errors.

src/gateway/tools-invoke-http.ts

@@ -348,9 +348,10 @@ export async function handleToolsInvokeHttpRequest(
     const result = await (tool as any).execute?.(`http-${Date.now()}`, toolArgs);
     sendJson(res, 200, { ok: true, result });
   } catch (err) {
+    logWarn(`tools-invoke: tool execution failed: ${String(err)}`);
     sendJson(res, 400, {
       ok: false,
-      error: { type: "tool_error", message: err instanceof Error ? err.message : String(err) },
+      error: { type: "tool_error", message: "tool execution failed" },
     });
   }