fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting

docs/scratchpads/gateway-security-20260313.md

@@ -46,9 +46,23 @@ Complete the remaining gateway security hardening work:
 
 ## Verification Log
 
-- Pending.
+- `pnpm --filter @mosaic/gateway test -- src/chat/__tests__/chat-security.test.ts src/__tests__/resource-ownership.test.ts`
+  - Red: failed on socket session reshaping and DTO role/length mismatches.
+  - Green: passed with 3 test files and 20 tests passing.
+- `pnpm typecheck`
+  - Pass on 2026-03-13 with 18/18 package typecheck tasks successful.
+- `pnpm lint`
+  - Pass on 2026-03-13 with 18/18 package lint tasks successful.
+- `pnpm format:check`
+  - Pass on 2026-03-13 with `All matched files use Prettier code style!`
+
+## Review Log
+
+- Manual review completed against auth, authorization, validation, and runtime hardening requirements.
+- No blocker findings remained after remediation.
 
 ## Risks / Blockers
 
 - Repository instructions conflict on PR merge behavior; user explicitly instructed PR-only, no merge. Follow user instruction.
 - Existing worktree contains prior-session modifications; do not revert unrelated changes.
+- `missions` and `tasks` currently depend on project ownership because the schema does not carry a direct user owner column.