refactor(backend): remove deprecated Gateway CLI code after Satellite pivot

Remove all Gateway CLI remnants following strategic pivot to Satellite architecture (ADR-000):

- Delete /routes/gateway/ folder and compiled artifacts
- Remove gateway route registration from routes/index.ts
- Remove gateway.config:read permission from role definitions
- Remove deploystack-gateway-cli OAuth client reference
- Remove gateway test mocks from unit tests
- Remove requireOAuthScope('mcp:read') from web-only /mcp/installations/* routes (13 files)

Web-only routes now use only requireTeamPermission() middleware, as OAuth scope checking was redundant for cookie-based authentication (skipped by middleware anyway per line 100-110 of oauthMiddleware.ts).

OAuth scopes (mcp:read, mcp:tools:execute) remain valid and are kept in:
- /routes/users/satellite/config.ts (MCP clients get satellite URLs)
- /routes/users/satellite/clients.ts (MCP client registration)
- authorizationService.ts (scope definitions)

Author: Lasim

services/backend/api-spec.json

@@ -23761,7 +23761,7 @@
         "tags": [
           "MCP Installations"
         ],
-        "description": "Creates a new MCP server installation for the specified team. Requires Content-Type: application/json header when sending request body. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Creates a new MCP server installation for the specified team. Requires Content-Type: application/json header when sending request body.",
         "requestBody": {
           "content": {
             "application/json": {
@@ -24263,7 +24263,7 @@
         "tags": [
           "MCP Installations"
         ],
-        "description": "Retrieves all MCP server installations for the specified team. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Retrieves all MCP server installations for the specified team.",
         "parameters": [
           {
             "schema": {
@@ -24688,7 +24688,7 @@
         "tags": [
           "MCP Installations"
         ],
-        "description": "Retrieves a specific MCP server installation by ID for the specified team. No Content-Type header required for this GET request. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Retrieves a specific MCP server installation by ID for the specified team. No Content-Type header required for this GET request.",
         "parameters": [
           {
             "schema": {
@@ -25082,7 +25082,7 @@
         "tags": [
           "MCP Installations"
         ],
-        "description": "Updates an existing MCP server installation. Can update installation name and environment variables. Requires Content-Type: application/json header when sending request body. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Updates an existing MCP server installation. Can update installation name and environment variables. Requires Content-Type: application/json header when sending request body.",
         "requestBody": {
           "content": {
             "application/json": {
@@ -25512,7 +25512,7 @@
         "tags": [
           "MCP Installations"
         ],
-        "description": "Removes an MCP server installation from the specified team. No Content-Type header required for this DELETE request. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Removes an MCP server installation from the specified team. No Content-Type header required for this DELETE request.",
         "parameters": [
           {
             "schema": {
@@ -25721,7 +25721,7 @@
         "tags": [
           "MCP Installations"
         ],
-        "description": "Updates the environment variables for an existing MCP server installation. This endpoint specifically handles environment variable updates only. Requires Content-Type: application/json header when sending request body. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Updates the environment variables for an existing MCP server installation. This endpoint specifically handles environment variable updates only. Requires Content-Type: application/json header when sending request body.",
         "requestBody": {
           "content": {
             "application/json": {
@@ -26145,7 +26145,7 @@
         "tags": [
           "MCP Installations"
         ],
-        "description": "Updates the headers for an existing MCP server installation. This endpoint specifically handles headers updates only. Requires Content-Type: application/json header when sending request body. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Updates the headers for an existing MCP server installation. This endpoint specifically handles headers updates only. Requires Content-Type: application/json header when sending request body.",
         "requestBody": {
           "content": {
             "application/json": {
@@ -26569,7 +26569,7 @@
         "tags": [
           "MCP Installations"
         ],
-        "description": "Updates the URL query parameters for an existing MCP server installation. This endpoint specifically handles query parameters updates only. Requires Content-Type: application/json header when sending request body. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Updates the URL query parameters for an existing MCP server installation. This endpoint specifically handles query parameters updates only. Requires Content-Type: application/json header when sending request body.",
         "requestBody": {
           "content": {
             "application/json": {
@@ -26993,7 +26993,7 @@
         "tags": [
           "MCP Installations"
         ],
-        "description": "Updates the command line arguments for an existing MCP server installation. This endpoint specifically handles args updates only. Requires Content-Type: application/json header when sending request body. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Updates the command line arguments for an existing MCP server installation. This endpoint specifically handles args updates only. Requires Content-Type: application/json header when sending request body.",
         "requestBody": {
           "content": {
             "application/json": {
@@ -27417,7 +27417,7 @@
         "tags": [
           "MCP Installations"
         ],
-        "description": "Generates client-specific configuration for an MCP server installation. Supports claude-desktop, vscode, and cursor clients. No Content-Type header required for this GET request. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Generates client-specific configuration for an MCP server installation. Supports claude-desktop, vscode, and cursor clients. No Content-Type header required for this GET request.",
         "parameters": [
           {
             "schema": {
@@ -27628,7 +27628,7 @@
           "MCP Installations",
           "OAuth"
         ],
-        "description": "Creates a pending MCP server installation and returns OAuth authorization URL for user authentication. Requires Content-Type: application/json header when sending request body. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Creates a pending MCP server installation and returns OAuth authorization URL for user authentication. Requires Content-Type: application/json header when sending request body.",
         "requestBody": {
           "content": {
             "application/json": {
@@ -27868,7 +27868,7 @@
           "MCP Installations",
           "OAuth"
         ],
-        "description": "Initiates OAuth re-authorization for existing installation with expired or invalid tokens. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Initiates OAuth re-authorization for existing installation with expired or invalid tokens.",
         "parameters": [
           {
             "schema": {
@@ -36159,211 +36159,6 @@
         }
       }
     },
-    "/api/gateway/me/mcp-configurations": {
-      "get": {
-        "summary": "Get merged MCP configurations for gateway",
-        "tags": [
-          "Gateway"
-        ],
-        "description": "Retrieves all MCP server configurations for the authenticated user with merged template, team, and user-specific values. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
-        "security": [
-          {
-            "cookieAuth": []
-          },
-          {
-            "bearerAuth": []
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "MCP configurations retrieved successfully",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "type": "object",
-                  "properties": {
-                    "success": {
-                      "type": "boolean",
-                      "default": true
-                    },
-                    "data": {
-                      "type": "object",
-                      "properties": {
-                        "servers": {
-                          "type": "array",
-                          "items": {
-                            "type": "object",
-                            "properties": {
-                              "id": {
-                                "type": "string",
-                                "description": "Server identifier"
-                              },
-                              "name": {
-                                "type": "string",
-                                "description": "Server name"
-                              },
-                              "command": {
-                                "type": "string",
-                                "description": "Command to execute"
-                              },
-                              "args": {
-                                "type": "array",
-                                "items": {
-                                  "type": "string"
-                                },
-                                "description": "Command arguments with user values merged"
-                              },
-                              "env": {
-                                "type": "object",
-                                "additionalProperties": {
-                                  "type": "string"
-                                },
-                                "description": "Environment variables with user values merged"
-                              },
-                              "status": {
-                                "type": "string",
-                                "enum": [
-                                  "ready",
-                                  "invalid"
-                                ],
-                                "description": "Server configuration status"
-                              }
-                            },
-                            "required": [
-                              "id",
-                              "name",
-                              "command",
-                              "args",
-                              "env",
-                              "status"
-                            ],
-                            "additionalProperties": false
-                          }
-                        }
-                      },
-                      "required": [
-                        "servers"
-                      ],
-                      "additionalProperties": false
-                    }
-                  },
-                  "required": [
-                    "success",
-                    "data"
-                  ],
-                  "additionalProperties": false,
-                  "description": "MCP configurations retrieved successfully"
-                }
-              }
-            }
-          },
-          "400": {
-            "description": "Bad Request - Invalid parameters",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "type": "object",
-                  "properties": {
-                    "success": {
-                      "type": "boolean",
-                      "default": false
-                    },
-                    "error": {
-                      "type": "string",
-                      "description": "Error message"
-                    }
-                  },
-                  "required": [
-                    "success",
-                    "error"
-                  ],
-                  "additionalProperties": false,
-                  "description": "Bad Request - Invalid parameters"
-                }
-              }
-            }
-          },
-          "401": {
-            "description": "Unauthorized",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "type": "object",
-                  "properties": {
-                    "success": {
-                      "type": "boolean",
-                      "default": false
-                    },
-                    "error": {
-                      "type": "string",
-                      "description": "Error message"
-                    }
-                  },
-                  "required": [
-                    "success",
-                    "error"
-                  ],
-                  "additionalProperties": false,
-                  "description": "Unauthorized"
-                }
-              }
-            }
-          },
-          "403": {
-            "description": "Forbidden",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "type": "object",
-                  "properties": {
-                    "success": {
-                      "type": "boolean",
-                      "default": false
-                    },
-                    "error": {
-                      "type": "string",
-                      "description": "Error message"
-                    }
-                  },
-                  "required": [
-                    "success",
-                    "error"
-                  ],
-                  "additionalProperties": false,
-                  "description": "Forbidden"
-                }
-              }
-            }
-          },
-          "500": {
-            "description": "Internal Server Error",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "type": "object",
-                  "properties": {
-                    "success": {
-                      "type": "boolean",
-                      "default": false
-                    },
-                    "error": {
-                      "type": "string",
-                      "description": "Error message"
-                    }
-                  },
-                  "required": [
-                    "success",
-                    "error"
-                  ],
-                  "additionalProperties": false,
-                  "description": "Internal Server Error"
-                }
-              }
-            }
-          }
-        }
-      }
-    },
     "/api/satellites/register": {
       "post": {
         "summary": "Register satellite with token",