fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting

apps/gateway/src/main.ts

@@ -1,19 +1,36 @@
 import './tracing.js';
 import 'reflect-metadata';
 import { NestFactory } from '@nestjs/core';
-import { Logger } from '@nestjs/common';
+import { Logger, ValidationPipe } from '@nestjs/common';
 import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fastify';
+import helmet from '@fastify/helmet';
 import { AppModule } from './app.module.js';
 import { mountAuthHandler } from './auth/auth.controller.js';
 
 async function bootstrap(): Promise<void> {
+  if (!process.env['BETTER_AUTH_SECRET']) {
+    throw new Error('BETTER_AUTH_SECRET is required');
+  }
+
   const logger = new Logger('Bootstrap');
-  const app = await NestFactory.create<NestFastifyApplication>(AppModule, new FastifyAdapter());
+  const app = await NestFactory.create<NestFastifyApplication>(
+    AppModule,
+    new FastifyAdapter({ bodyLimit: 1_048_576 }),
+  );
+
+  await app.register(helmet as never, { contentSecurityPolicy: false });
+  app.useGlobalPipes(
+    new ValidationPipe({
+      whitelist: true,
+      forbidNonWhitelisted: true,
+      transform: true,
+    }),
+  );
 
   mountAuthHandler(app);
 
-  const port = process.env['GATEWAY_PORT'] ?? 4000;
-  await app.listen(port as number, '0.0.0.0');
+  const port = Number(process.env['GATEWAY_PORT'] ?? 4000);
+  await app.listen(port, '0.0.0.0');
   logger.log(`Gateway listening on port ${port}`);
 }