Let's talk about security. The Gateway daemon listens on 127.0.0.1:18789 by default. Binding to loopback means only processes on your own machine can talk to it. No firewall rules needed.
Every request to the Gateway must include the auth token from gateway.json. If a request arrives without a valid token, the daemon rejects it with a 401 status. There is no "anonymous" mode.
The daemon follows a fail-closed design: if any security check fails (bad token, unknown platform, missing config file), the request is denied. It never falls back to a permissive default. What does that mean for you? A misconfigured setup stays silent rather than leaking data. That's a good thing.