[Security] Error details leaked to unauthenticated clients in HTTP handler

## Summary
Internal error details are exposed to unauthenticated HTTP clients.

## Location
`src/gateway/server-http.ts` (compiled: `dist/gateway/server-http.js`)

## Problem
```typescript
// Line ~178-181 in compiled JS
} catch (err) {
  res.statusCode = 500;
  res.end(String(err));  // Exposes internal error details
}
```

This catch block is reached **before authentication** (loadConfig at line 151 can throw).

## Impact
- Unauthenticated users can receive internal error messages
- May leak file paths, config structure, or other sensitive info
- Severity: **MEDIUM**

## Suggested Fix
```typescript
} catch (err) {
  logError('HTTP handler error:', err);
  res.statusCode = 500;
  res.end('Internal Server Error');  // Generic message
}
```

## Verification
Confirmed by code analysis with Codex CLI.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Security] Error details leaked to unauthenticated clients in HTTP handler #2383

Summary

Location

Problem

Impact

Suggested Fix

Verification

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

[Security] Error details leaked to unauthenticated clients in HTTP handler #2383

Description

Summary

Location

Problem

Impact

Suggested Fix

Verification

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions