security: harden WhatsApp gateway — bearer auth, CORS, error redaction, PII logs

[BunnyMoth]

Summary

Security hardening for the WhatsApp gateway (packages/whatsapp-gateway/).
The gateway is a separate Node.js process that does not inherit any of the
Rust-side security layers.

Changes

Bearer token authentication on all endpoints

All endpoints (/login/start, /login/status, /message/send, /health)
now require Authorization: Bearer <token>. Token is generated at startup
via crypto.randomBytes(32), logged once to stdout for the Rust kernel to
capture, and validated with timingSafeEqual to prevent timing attacks.

Removed Access-Control-Allow-Origin: *

This is a localhost service-to-service API, not a browser-facing one.
The wildcard CORS header allowed any webpage to send WhatsApp messages
as the linked account (localhost-CSRF vector). Removed entirely.

auth_store directory permissions

fs.chmodSync(authDir, 0o700) applied after useMultiFileAuthState
creates the directory (Linux/Mac only, guarded by process.platform !== 'win32').

Generic error responses

Raw err.message was being returned to API clients. Replaced with
{ error: 'internal error' } — full error logged server-side only.

PII redaction in logs

Phone numbers now show last 4 digits only. Control characters stripped
from pushName before logging (prevents log injection).

Removed deprecated printQRInTerminal: true

Removed — QR is already served via the data-URL endpoint.

Renamed session_id → connection_id

session_id was never validated anywhere, misleadingly suggesting it
was a credential. Renamed to connection_id to clarify it is informational only.

Committed package-lock.json

Pins the dependency tree to a reproducible snapshot.
npm audit reports 0 vulnerabilities against this lockfile.

Testing

• node --check index.js — syntax clean
• npm audit — 0 vulnerabilities
• cargo test --workspace — 2,074 tests, 0 failures