feat(gateway): add websocket ingress rate limiting

src/config/schema.ts

@@ -24,6 +24,14 @@ const pairingSchema = z.object({
   code_length: z.number().default(6),
 }).default({});
 
+const wsRateLimitSchema = z.object({
+  enabled: z.boolean().default(true),
+  capacity: z.number().min(1).max(1000).default(30),
+  refill_per_sec: z.number().min(1).max(1000).default(15),
+  max_violations: z.number().min(1).max(100).default(8),
+  violation_window_ms: z.number().min(1000).max(60000).default(10000),
+}).default({});
+
 const serverSchema = z.object({
   tailscale: tailscaleSchema,
   localhost: z.boolean().default(true),
@@ -38,6 +46,8 @@ const serverSchema = z.object({
   lock: z.boolean().default(false),
   /** Maximum size (bytes) for inbound HTTP request bodies (webhooks/Gmail push). */
   max_request_body_bytes: z.number().min(1024).max(10 * 1024 * 1024).default(1_048_576),
+  /** Per-connection WebSocket ingress rate limit settings. */
+  ws_rate_limit: wsRateLimitSchema,
 });
 
 /** All supported model provider identifiers. Used by the config schema and TUI autocompletion. */