Fix all 7 issues identified in the ChatGPT audit of transformation work:
1. Android build break: Remove duplicate normalizeMainKey/isCanonicalMainSessionKey
from NodeGatewaySync.kt (they're already in SessionKey.kt). Align both Android
and iOS implementations to use "main" as canonical (case-insensitive match).
2. Rate limiting: Wire rateLimiter through GatewayRequestContext and enforce:
- Auth failure backoff (recordAuthFailure on auth failure, clearAuthFailure on success)
- Request rate limiting before handleGatewayRequest
- Channel message rate limiting in send handler
- Add TOO_MANY_REQUESTS error code
3. Injection defenses: Call sanitizeIncomingMessage in chat.send and chat.inject
handlers to detect prompt injection attempts.
4. RBAC enforcement: Add canAccessAgent check in chat.send handler and
canExecuteCommand check in node-host runner for exec commands.
5. WhatsApp encrypted backup restore: Update maybeRestoreCredsFromBackup to
handle encrypted backup files (.bak.enc -> .json.enc restoration).
6. Exec blocklist bypass: Add evaluateBlocklist check in argv-only code path
in runner.ts (previously only checked for rawCommand path).
7. iOS voice transcript: Fix line 329 in NodeAppModel.swift to use computed
'key' variable instead of original 'sessionKey' parameter.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>