Config UI: tag filters and complete schema help/labels coverage (#23796)

* Config UI: add tag filters and complete schema help/labels

* Config UI: finalize tags/help polish and unblock test suite

* Protocol: regenerate Swift gateway models

src/gateway/protocol/schema/config.ts

@@ -41,6 +41,7 @@ export const ConfigUiHintSchema = Type.Object(
   {
     label: Type.Optional(Type.String()),
     help: Type.Optional(Type.String()),
+    tags: Type.Optional(Type.Array(Type.String())),
     group: Type.Optional(Type.String()),
     order: Type.Optional(Type.Integer()),
     advanced: Type.Optional(Type.Boolean()),

src/gateway/server/ws-connection/auth-context.test.ts

@@ -2,6 +2,8 @@ import { describe, expect, it, vi } from "vitest";
 import type { AuthRateLimiter } from "../../auth-rate-limit.js";
 import { resolveConnectAuthDecision, type ConnectAuthState } from "./auth-context.js";
 
+type VerifyDeviceTokenFn = Parameters<typeof resolveConnectAuthDecision>[0]["verifyDeviceToken"];
+
 function createRateLimiter(params?: { allowed?: boolean; retryAfterMs?: number }): {
   limiter: AuthRateLimiter;
   reset: ReturnType<typeof vi.fn>;
@@ -35,7 +37,7 @@ function createBaseState(overrides?: Partial<ConnectAuthState>): ConnectAuthStat
 }
 
 async function resolveDeviceTokenDecision(params: {
-  verifyDeviceToken: ReturnType<typeof vi.fn>;
+  verifyDeviceToken: VerifyDeviceTokenFn;
   stateOverrides?: Partial<ConnectAuthState>;
   rateLimiter?: AuthRateLimiter;
   clientIp?: string;
@@ -54,7 +56,7 @@ async function resolveDeviceTokenDecision(params: {
 
 describe("resolveConnectAuthDecision", () => {
   it("keeps shared-secret mismatch when fallback device-token check fails", async () => {
-    const verifyDeviceToken = vi.fn(async () => ({ ok: false }));
+    const verifyDeviceToken = vi.fn<VerifyDeviceTokenFn>(async () => ({ ok: false }));
     const decision = await resolveConnectAuthDecision({
       state: createBaseState(),
       hasDeviceIdentity: true,
@@ -69,7 +71,7 @@ describe("resolveConnectAuthDecision", () => {
   });
 
   it("reports explicit device-token mismatches as device_token_mismatch", async () => {
-    const verifyDeviceToken = vi.fn(async () => ({ ok: false }));
+    const verifyDeviceToken = vi.fn<VerifyDeviceTokenFn>(async () => ({ ok: false }));
     const decision = await resolveConnectAuthDecision({
       state: createBaseState({
         deviceTokenCandidateSource: "explicit-device-token",
@@ -86,7 +88,7 @@ describe("resolveConnectAuthDecision", () => {
 
   it("accepts valid device tokens and marks auth method as device-token", async () => {
     const rateLimiter = createRateLimiter();
-    const verifyDeviceToken = vi.fn(async () => ({ ok: true }));
+    const verifyDeviceToken = vi.fn<VerifyDeviceTokenFn>(async () => ({ ok: true }));
     const decision = await resolveDeviceTokenDecision({
       verifyDeviceToken,
       rateLimiter: rateLimiter.limiter,
@@ -100,7 +102,7 @@ describe("resolveConnectAuthDecision", () => {
 
   it("returns rate-limited auth result without verifying device token", async () => {
     const rateLimiter = createRateLimiter({ allowed: false, retryAfterMs: 60_000 });
-    const verifyDeviceToken = vi.fn(async () => ({ ok: true }));
+    const verifyDeviceToken = vi.fn<VerifyDeviceTokenFn>(async () => ({ ok: true }));
     const decision = await resolveDeviceTokenDecision({
       verifyDeviceToken,
       rateLimiter: rateLimiter.limiter,
@@ -113,7 +115,7 @@ describe("resolveConnectAuthDecision", () => {
   });
 
   it("returns the original decision when device fallback does not apply", async () => {
-    const verifyDeviceToken = vi.fn(async () => ({ ok: true }));
+    const verifyDeviceToken = vi.fn<VerifyDeviceTokenFn>(async () => ({ ok: true }));
     const decision = await resolveConnectAuthDecision({
       state: createBaseState({
         authResult: { ok: true, method: "token" },