fix(gateway): land #38725 from @ademczuk

Source: #38725 / 533ff3e70bdb9fd184392935e8b2f5043b176fca by @ademczuk.
Thanks @ademczuk.

Co-authored-by: ademczuk <andrew.demczuk@gmail.com>

src/gateway/auth.test.ts

@@ -367,6 +367,58 @@ describe("gateway auth", () => {
     expect(limiter.check).toHaveBeenCalledWith(undefined, "custom-scope");
     expect(limiter.recordFailure).toHaveBeenCalledWith(undefined, "custom-scope");
   });
+
+  it("does not record rate-limit failure for missing token (misconfigured client, not brute-force)", async () => {
+    const limiter = createLimiterSpy();
+    const res = await authorizeGatewayConnect({
+      auth: { mode: "token", token: "secret", allowTailscale: false },
+      connectAuth: null,
+      rateLimiter: limiter,
+    });
+
+    expect(res.ok).toBe(false);
+    expect(res.reason).toBe("token_missing");
+    expect(limiter.recordFailure).not.toHaveBeenCalled();
+  });
+
+  it("does not record rate-limit failure for missing password (misconfigured client, not brute-force)", async () => {
+    const limiter = createLimiterSpy();
+    const res = await authorizeGatewayConnect({
+      auth: { mode: "password", password: "secret", allowTailscale: false },
+      connectAuth: null,
+      rateLimiter: limiter,
+    });
+
+    expect(res.ok).toBe(false);
+    expect(res.reason).toBe("password_missing");
+    expect(limiter.recordFailure).not.toHaveBeenCalled();
+  });
+
+  it("still records rate-limit failure for wrong token (brute-force attempt)", async () => {
+    const limiter = createLimiterSpy();
+    const res = await authorizeGatewayConnect({
+      auth: { mode: "token", token: "secret", allowTailscale: false },
+      connectAuth: { token: "wrong" },
+      rateLimiter: limiter,
+    });
+
+    expect(res.ok).toBe(false);
+    expect(res.reason).toBe("token_mismatch");
+    expect(limiter.recordFailure).toHaveBeenCalled();
+  });
+
+  it("still records rate-limit failure for wrong password (brute-force attempt)", async () => {
+    const limiter = createLimiterSpy();
+    const res = await authorizeGatewayConnect({
+      auth: { mode: "password", password: "secret", allowTailscale: false },
+      connectAuth: { password: "wrong" },
+      rateLimiter: limiter,
+    });
+
+    expect(res.ok).toBe(false);
+    expect(res.reason).toBe("password_mismatch");
+    expect(limiter.recordFailure).toHaveBeenCalled();
+  });
 });
 
 describe("trusted-proxy auth", () => {

src/gateway/auth.ts

@@ -439,7 +439,9 @@ export async function authorizeGatewayConnect(
       return { ok: false, reason: "token_missing_config" };
     }
     if (!connectAuth?.token) {
-      limiter?.recordFailure(ip, rateLimitScope);
+      // Don't burn rate-limit slots for missing credentials — the client
+      // simply hasn't provided a token yet (e.g. bare browser open).
+      // Only actual *wrong* credentials should count as failures.
       return { ok: false, reason: "token_missing" };
     }
     if (!safeEqualSecret(connectAuth.token, auth.token)) {
@@ -456,7 +458,7 @@ export async function authorizeGatewayConnect(
       return { ok: false, reason: "password_missing_config" };
     }
     if (!password) {
-      limiter?.recordFailure(ip, rateLimitScope);
+      // Same as token_missing — don't penalize absent credentials.
       return { ok: false, reason: "password_missing" };
     }
     if (!safeEqualSecret(password, auth.password)) {

src/gateway/reconnect-gating.test.ts

@@ -0,0 +1,53 @@
+import { describe, expect, it } from "vitest";
+import { type GatewayErrorInfo, isNonRecoverableAuthError } from "../../ui/src/ui/gateway.ts";
+import { ConnectErrorDetailCodes } from "./protocol/connect-error-details.js";
+
+function makeError(detailCode: string): GatewayErrorInfo {
+  return { code: "connect_failed", message: "auth failed", details: { code: detailCode } };
+}
+
+describe("isNonRecoverableAuthError", () => {
+  it("returns false for undefined error (normal disconnect)", () => {
+    expect(isNonRecoverableAuthError(undefined)).toBe(false);
+  });
+
+  it("returns false for errors without detail codes (network issues)", () => {
+    expect(isNonRecoverableAuthError({ code: "connect_failed", message: "timeout" })).toBe(false);
+  });
+
+  it("blocks reconnect for AUTH_TOKEN_MISSING (misconfigured client)", () => {
+    expect(isNonRecoverableAuthError(makeError(ConnectErrorDetailCodes.AUTH_TOKEN_MISSING))).toBe(
+      true,
+    );
+  });
+
+  it("blocks reconnect for AUTH_PASSWORD_MISSING", () => {
+    expect(
+      isNonRecoverableAuthError(makeError(ConnectErrorDetailCodes.AUTH_PASSWORD_MISSING)),
+    ).toBe(true);
+  });
+
+  it("blocks reconnect for AUTH_PASSWORD_MISMATCH (wrong password won't self-correct)", () => {
+    expect(
+      isNonRecoverableAuthError(makeError(ConnectErrorDetailCodes.AUTH_PASSWORD_MISMATCH)),
+    ).toBe(true);
+  });
+
+  it("blocks reconnect for AUTH_RATE_LIMITED (reconnecting burns more slots)", () => {
+    expect(isNonRecoverableAuthError(makeError(ConnectErrorDetailCodes.AUTH_RATE_LIMITED))).toBe(
+      true,
+    );
+  });
+
+  it("allows reconnect for AUTH_TOKEN_MISMATCH (device-token fallback flow)", () => {
+    // Browser client fallback: stale device token → mismatch → sendConnect() clears it →
+    // next reconnect uses opts.token (shared gateway token). Blocking here breaks recovery.
+    expect(isNonRecoverableAuthError(makeError(ConnectErrorDetailCodes.AUTH_TOKEN_MISMATCH))).toBe(
+      false,
+    );
+  });
+
+  it("allows reconnect for unrecognized detail codes (future-proof)", () => {
+    expect(isNonRecoverableAuthError(makeError("SOME_FUTURE_CODE"))).toBe(false);
+  });
+});