sync: record gateway final hardening

sync/CURRENT.md

@@ -10,7 +10,25 @@
 
 ## Session Status
 
-### Latest Verified State — 2026-05-12 23:08 Europe/Berlin
+### Latest Verified State — 2026-05-12 23:30 Europe/Berlin
+
+- Live hardening and verification completed:
+  - GitHub Copilot bridge now binds to loopback by default (`127.0.0.1`) and reports stable diagnostic health instead of hiding startup/auth failures behind PM2 restarts.
+  - The Copilot bridge health now exposes `auth_required`, host, package, last startup/output, and an explicit warning while `COPILOT_API_PACKAGE` is still `copilot-api@latest`.
+  - Dashboard Client Coverage now shows bridge provider/runtime state per desktop client, not only local process/install detection.
+  - Live `/api/dashboard/clients?hours=24` verifies:
+    - Codex Desktop / CLI: `live`, bridge `codex` ready, callers include `codex-cli`, `codex-live-gateway-check`, `codex-secure-tunnel-smoke`, `tokensSaved=4067`.
+    - Claude Desktop / Claude Code: `live`, bridge `claude-code` ready, callers include `claude-code-companion`, `requestCount=28`.
+    - Microsoft Copilot: local process detected, bridge `m365-copilot-bridge` remains `auth_required` until Microsoft Graph/device auth is configured.
+    - GitHub Copilot: local process/bridge detected, bridge `copilot-bridge` remains `auth_required` until GitHub Copilot device login is completed.
+  - Fresh compression proof after deploy:
+    - Caller `final-repeat-compression-smoke`, model `qwen2.5:14b`.
+    - Compression mode `ctxlean:verbatim_compact`.
+    - Tokens `8882 -> 106`, saved `8776`, savings `98.81%`.
+  - Gateway public health remains green: `/api/dashboard/health` returns `status=ok`, database `connected`.
+- Operational note:
+  - Cloudflare SSH fallback needed explicit Go DNS mode from Codex sandbox: `GODEBUG=netdns=go+1 cloudflared access ssh --hostname ssh.context-x.org`.
+  - Direct SSH to Erik was intermittent/refused during deploy, but Cloudflare SSH with the DNS override completed restart and verification.
 
 - Companion tool-use adapter added and verified:
   - Anthropic `tools` are summarized into a strict tool-use adapter instruction for the text backend.

sync/history/2026-05-12-gateway-final-hardening.md

@@ -0,0 +1,43 @@
+# LLM Gateway Final Hardening Handoff — 2026-05-12
+
+## Summary
+
+- Hardened GitHub Copilot bridge:
+  - Loopback-only default: `COPILOT_BRIDGE_HOST=127.0.0.1`.
+  - Health endpoint remains available when underlying `copilot-api` is starting, unavailable, or auth-blocked.
+  - Health now reports `auth_required`, package/version, last startup/output, and warns while `COPILOT_API_PACKAGE=copilot-api@latest`.
+  - Existing spawn/restart behavior from Erik was preserved.
+- Dashboard client coverage now reports bridge runtime state per client:
+  - Codex -> `codex`.
+  - Claude Code -> `claude-code`.
+  - Microsoft Copilot -> `m365-copilot-bridge`.
+  - GitHub Copilot -> `copilot-bridge`.
+  - ChatGPT/OpenAI Desktop -> `chatgpt-bridge`.
+- Deployed changed dashboard artifacts and restarted only `copilot-bridge` and `llm-gateway`.
+
+## Live Verification
+
+- Public Gateway health: `status=ok`, database `connected`.
+- Client coverage, 24h:
+  - Codex Desktop / CLI: `live`, bridge ready, `requestCount=3`, `tokensSaved=4067`.
+  - Claude Desktop / Claude Code: `live`, bridge ready, `requestCount=28`.
+  - Microsoft Copilot: local process detected, bridge `auth_required`.
+  - GitHub Copilot: local process detected, bridge `auth_required`.
+- Copilot bridge direct health:
+  - `status=auth_required`.
+  - `host=127.0.0.1`.
+  - `copilot_api_package=copilot-api@latest`.
+  - Detail: authorize GitHub device login shown in bridge logs.
+- Fresh compression proof:
+  - Request `chatcmpl-1778621358742-cascdms`.
+  - Caller `final-repeat-compression-smoke`.
+  - Model `qwen2.5:14b`.
+  - Compression `ctxlean:verbatim_compact`.
+  - Tokens `8882 -> 106`, saved `8776`, savings `98.81%`.
+
+## Remaining Boundaries
+
+- Gateway tracks and compresses only traffic that enters the Gateway/Companion before provider execution.
+- GitHub Copilot and Microsoft Copilot cannot be counted until their real account/device auth is completed.
+- `copilot-api@latest` should be pinned before treating the GitHub Copilot bridge as fully production-stable.
+- Erik direct SSH was intermittent/refused during deploy; Cloudflare SSH worked with `GODEBUG=netdns=go+1`.