fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting

apps/gateway/src/chat/chat.controller.ts

@@ -1,12 +1,20 @@
-import { Controller, Post, Body, Logger, HttpException, HttpStatus, Inject } from '@nestjs/common';
+import {
+  Controller,
+  Post,
+  Body,
+  Logger,
+  HttpException,
+  HttpStatus,
+  Inject,
+  UseGuards,
+} from '@nestjs/common';
 import type { AgentSessionEvent } from '@mariozechner/pi-coding-agent';
+import { Throttle } from '@nestjs/throttler';
 import { AgentService } from '../agent/agent.service.js';
+import { AuthGuard } from '../auth/auth.guard.js';
+import { CurrentUser } from '../auth/current-user.decorator.js';
 import { v4 as uuid } from 'uuid';
-
-interface ChatRequest {
-  conversationId?: string;
-  content: string;
-}
+import { ChatRequestDto } from './chat.dto.js';
 
 interface ChatResponse {
   conversationId: string;
@@ -14,13 +22,18 @@ interface ChatResponse {
 }
 
 @Controller('api/chat')
+@UseGuards(AuthGuard)
 export class ChatController {
   private readonly logger = new Logger(ChatController.name);
 
   constructor(@Inject(AgentService) private readonly agentService: AgentService) {}
 
   @Post()
-  async chat(@Body() body: ChatRequest): Promise<ChatResponse> {
+  @Throttle({ default: { limit: 10, ttl: 60_000 } })
+  async chat(
+    @Body() body: ChatRequestDto,
+    @CurrentUser() user: { id: string },
+  ): Promise<ChatResponse> {
     const conversationId = body.conversationId ?? uuid();
 
     try {
@@ -36,6 +49,8 @@ export class ChatController {
       throw new HttpException('Agent session unavailable', HttpStatus.SERVICE_UNAVAILABLE);
     }
 
+    this.logger.debug(`Handling chat request for user=${user.id}, conversation=${conversationId}`);
+
     let responseText = '';
 
     const done = new Promise<void>((resolve, reject) => {